JP2004032707A - Revocation list preparation apparatus for public key certificate, revocation discrimination apparatus, and authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a revocation list preparation apparatus and a revocation discrimination apparatus capable of reducing the size of a CRL. <P>SOLUTION: A leaf of a tree structure corresponds to a public key certificate. A leaf identifier identifies the public key certificate. Nodes from the leaf corresponding to a cancelled public key certificate to a root are invalidated. The revocation list preparation apparatus creates revocation information denoting whether or not each of subordinate nodes except the leaf is invalidated and prepares the revocation list including a plurality of revocation information items arranged according to an arrangement order. The revocation discrimination apparatus uses the revocation information in the revocation list to try to build up a path from the root to the leaf and discriminates that the acquired public key certificate is invalidated when the built-up path includes the leaf. <P>COPYRIGHT: (C)2004,JPO

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to an authentication technique using a public key encryption technique, and particularly to a technique for specifying a certificate of a revoked public key.
[0002]
[Prior art]
In recent years, with the rapid spread of the use of the Internet, systems using the Internet as a communication base are increasing. For example, one example is electronic commerce for buying and selling goods via the Internet.
In such a system using the Internet as a communication base, it is an essential condition to confirm that the communication partner is a valid participant of the system. Such confirmation is called authentication. The communication partner may be a device operated by a human or a device that performs processing according to a predetermined procedure. In the following, a device including both of them will be referred to as a device. Authenticating the communication partner is called device authentication. Note that “proving” means that the device itself has legitimacy, that is, indicating that the device is a valid participant of the system, and “verifying” that checking the validity of the other party is called “verifying”. Authentication is a concept that includes both certification and verification.
[0003]
In device authentication, encryption technology is usually used. That is, the prover confidentially has data indicating that he is a valid participant of the system, and proves his / her validity by showing the verifier that he / she has the secret data. . On the other hand, the verifier verifies the validity of the prover by confirming that the prover has secret data. In a communication channel such as the Internet where anyone can obtain communication data, the secret data for authentication (authentication data) must not be leaked to a third party who is not involved in authentication. If secret data leaks to a third party, the device that obtained the secret data can impersonate the original device. For this purpose, the authentication data is encrypted and transmitted only to the verifier.
[0004]
The encryption technology includes a common key encryption technology and a public key encryption technology. In the common key encryption technology, a key for encryption and a key for decryption have the same value. On the other hand, in the public key cryptography, a key for encryption and a key for decryption have different values.
In authentication using symmetric key cryptography, the verifier has the same secret as the prover, so there is a danger that the verifier will impersonate the prover. The so-called password method corresponds to this. On the other hand, in authentication using public key cryptography, a prover certifies using a secret key of public key cryptography, and a verifier verifies using a public key corresponding to the secret key. Since the private key cannot be created, the verifier cannot impersonate the prover after authentication is completed. For this reason, it is desirable to use the public key cryptography for performing the above-mentioned authentication.
[0005]
In the authentication using the public key cryptography, performing a process using a secret key is referred to as a signature, and verifying the validity of the signature using a public key corresponding to the secret key is referred to as verifying.
An example of the partner authentication processing using the public key encryption technology is as follows. That is, the first device transmits random number data as challenge data to the second device, and subsequently, the second device signs the received random number data with its own private key and generates a signature. The generated signature is returned to the first device as response data, and finally, the first device verifies the returned signature using the public key of the second device.
[0006]
In the authentication using the public key encryption technology as described above, it is assumed that the public key itself is valid in the system.
For this purpose, a "public key certificate"("certified" for the public key) is issued from an organization called a certification authority in the system, indicating that the public key is valid for each device. It is common that A public key certificate is data obtained by combining the identification name of a device, an expiration date, and a public key with an electronic signature of a certification authority added thereto. After confirming the correctness of the electronic signature of the public key certificate, and further confirming the contents of the public key certificate from the identification name of the partner device and the current time, the correctness of the public key is confirmed.
[0007]
Furthermore, among public key certificates issued in the past, public key certificates of devices that have been removed from the system and are not valid are required to notify other devices that they have been revoked. A public key certificate revocation list (CRL) in which a digital signature of a certificate authority is added to a list of information specifying the revoked public key certificate is issued.
[0008]
As described above, when authenticating the partner device using the public key of the partner device, the public key certificate of the partner device is obtained, and the obtained public key certificate is not registered in the CRL. In other words, by performing the above-described authentication processing after confirming that the device is not invalidated, it is possible to avoid a transaction with an unauthorized partner device.
Note that the format, implementation example, and the like of the CRL are well-known technologies, and thus details thereof will not be described here. As an example, Non-Patent Literature 1 discloses X.264 defined by ISO / IEC / ITU. The CRL format (data structure) defined by the H.509 standard is disclosed.
[0009]
Non-Patent Documents 2 and 3 describe a tree-structured data storage method that can be used as one of the data formats for storing a large number of public key certificate IDs to be invalidated. Is disclosed. In this method, the tree structure is expressed in one dimension by arranging each node of the tree structure according to a certain rule. For example, p. 136 shows how to arrange in order of level. According to this arrangement method, levels (corresponding to a hierarchy in the tree structure) are arranged in ascending order, and within each level, nodes are arranged from left to right in the order of the nodes of the level.
[0010]
By using such an arrangement method based on a specific rule, a device can construct a tree structure from information arranged in one dimension.
As described above, the device acquires the CRL and stores the acquired CRL in the internal memory and the memory before authenticating the partner device using the public key of the partner device. It is checked whether or not the public key certificate ID of the partner device exists in the CRL, and if not, the authentication is performed. For this reason, the device must secure a memory having a sufficient capacity to store the CRL.
[0011]
[Non-patent document 1]
"Digital Signature and Cryptography" (Translated by Shinichiro Yamada, Pearson Education, 2000)
[0012]
[Non-patent document 2]
"Manipulation of Trees in Information Retrieval" (G. Salton, Communication of the ACM 5, 1962)
[0013]
[Non-Patent Document 3]
"Basic Algorithm / Information Structure" (translated by Yoneda and Kakehi, Science Inc., 1978)
[0014]
[Problems to be solved by the invention]
However, the conventional CRL includes the IDs of all the public key certificates to be revoked, and the size thereof is proportional to the number of the public key certificates to be revoked. Then, the size of the CRL increases accordingly.
For this reason, there is a problem that it is not practical for the device to secure a memory having a sufficient capacity for storing the CRL, assuming the CRL having the maximum size.
[0015]
For example, assume that the total number of public key certificates in the entire system is 230 (approximately 1 billion), the number of revoked certificates is 100,000, 0.01% of which, and the size of the ID is 30 bits. . At this time, since the conventional CRL includes all IDs, the size of the CRL is 30 bits × 100,000 = about 375 [KB]. Therefore, the device only needs to secure about 375 [KB] of memory to store the CRL. However, if the number of revoked certificates is 0.02% or 200,000, the size of the CRL is 30 bits × 200,000 = about 750 [KB], and the device is about 750 [KB]. Memory must be secured. Furthermore, if the number of revoked certificates increases, the device must secure more memory.
[0016]
[Means for Solving the Problems]
In order to solve the above problems, the present invention provides a revocation list generation device, a revocation determination device, an authentication system, which can keep the CRL size small even when the number of public key certificates to be revoked increases. An object of the present invention is to provide a revocation list generation method, a program, a recording medium, a revocation determination method, a program, and a recording medium.
[0017]
In order to achieve the above object, the present invention relates to an authentication system using public key cryptography, which has a secret key and a public key in a public key cryptographic algorithm, and uses the secret key to communicate with a communication partner. A terminal device that certifies the validity of the terminal device, a public key certificate issuing device that issues and distributes a public key certificate to at least data including a public key of the terminal device, and a terminal device that is invalidated. A revocation list generation device that issues and distributes a public key certificate revocation list that identifies the public key certificate issued by the public key certificate issuing device, a public key certificate of a terminal device to be verified, and the public key A revocation list using device that receives a key certificate revocation list and determines whether the public key certificate is registered in the public key certificate revocation list; Composed of a verification device for verifying a self correctness proof performed by the communication partner by using a public key is determined invalid.
[0018]
The revocation list generation device constructs and stores a tree structure including a plurality of layers, assigns a unique value for identifying a public key certificate of each terminal device to a leaf of the tree structure, and further stores and stores If a unique value of a public key certificate to be revoked is associated with at least one of the leaves that are descendants of a node for a given tree structure, that node is regarded as a revoked node, and at least one of the child nodes For a node, one of which is an invalidation node, an identifier for identifying whether each child node is an invalidation node is indicated by an identifier for identifying whether or not each child node is an invalidation node. The public key certificate revocation list is further arranged by arranging node revocation patterns of the entire tree structure based on a predetermined rule for tracing all nodes of the tree structure. Generated.
[0019]
The revocation list using apparatus analyzes a public key certificate revocation list in which the node revocation patterns are arranged based on the predetermined rule, and determines that the public key certificate of the terminal to be verified is invalidated. It is determined whether or not it is registered in the list.
The present invention also provides a public key certificate issuing device for issuing and distributing a public key certificate to data comprising a public key of a terminal device, and a public key certificate issuing device for the terminal device to be revoked. A revocation list generation device that issues and distributes a public key certificate revocation list that specifies the public key certificate issued by the device.
[0020]
The revocation list generation device constructs and stores a tree structure including a plurality of layers, assigns a unique value for identifying a public key certificate of each terminal device to a leaf of the tree structure, and further stores and stores If a unique value of a public key certificate to be revoked is associated with at least one of the leaves that are descendants of a node for a given tree structure, that node is regarded as a revoked node, and at least one of the child nodes For a node, one of which is an invalidation node, an identifier for identifying whether each child node is an invalidation node is indicated by an identifier for identifying whether or not each child node is an invalidation node. The public key certificate revocation list is further arranged by arranging node revocation patterns of the entire tree structure based on a predetermined rule for tracing all nodes of the tree structure. Generated.
[0021]
BEST MODE FOR CARRYING OUT THE INVENTION
1. First embodiment
A copyright protection system 10 according to one embodiment of the present invention will be described.
1.1 Configuration of copyright protection system 10
As shown in FIG. 1, the copyright protection system 10 includes a key management device 100, a key information recording device 200, recording devices 300a, 300b, 300c,... And reproduction devices 400a, 400b, 400c,. Have been.
[0022]
The key management device 100 records the key information by using the key information recording device 200 on a recording medium 500a, which is a recordable medium such as a DVD-RAM, on which no information is currently recorded, and records the key information. The recorded recording medium 500b is generated in advance. Further, the key management device 100 allocates a device key for decrypting key information to each of the recording devices 300a, 300b, 300c,... And the playback devices 400a, 400b, 400c,. The device key, device key identification information for identifying the device key, and ID information for identifying the recording devices 300a, 300b, 300c,... And the reproducing devices 400a, 400b, 400c,. , 300b, 300c,... And the playback devices 400a, 400b, 400c,.
[0023]
The recording device 300a respectively encrypts the digitized content to generate an encrypted content, records the generated encrypted content on the recording medium 500b, and generates the recording medium 500c. The playback device 400a extracts the encrypted content from the recording medium 500c, and decrypts the encrypted content to obtain the original content. The recording devices 300b, 300c, ... operate in the same manner as the recording device 300a, and the playback devices 400b, 400c, ... operate in the same manner as the playback device 400a.
[0024]
In the following, the recording devices 300b, 300c,... And the reproducing devices 400b, 400c,.
1.1.1 Key Management Device 100
As shown in FIG. 2, the key management device 100 includes a tree structure construction unit 101, a tree structure storage unit 102, a device key allocation unit 103, an invalidation device designation unit 104, a tree structure update unit 105, a key information header generation unit 106 And a key information generation unit 107.
[0025]
The key management device 100 is, specifically, a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like. A computer program is stored in the RAM or the hard disk unit. The key management device 100 achieves its functions by the microprocessor operating according to the computer program.
[0026]
(1) Tree structure storage unit 102
The tree structure storage unit 102 is specifically composed of a hard disk unit, and has a tree structure table D100 as shown as an example in FIG.
The tree structure table D100 corresponds to the tree structure T100 shown as an example in FIG. 4, and shows a data structure for expressing the tree structure T100. As will be described later, a data structure for expressing the tree structure T100 by the tree structure construction unit 101 is generated as a tree structure table D100 and written to the tree structure storage unit 102.
[0027]
(Tree structure T100)
As shown in FIG. 4, the tree structure T100 is a binary tree including five layers from layer 0 to layer 4. Since the tree structure T100 is a binary tree, each node (excluding leaves) of the tree structure T100 is connected to two lower nodes via two paths. Layer 0 contains one node that is the root, layer 1 contains two nodes, layer 2 contains four nodes, and layer 3 contains eight nodes. , Layer 4 includes 16 nodes as leaves. In the tree structure, the lower side indicates the leaf side, and the upper side indicates the root side.
[0028]
Of the two paths connecting each node (except the leaf) of the tree structure T100 and the lower node, one of the left paths is assigned the number “0”, and the other is the number “0”. Is assigned a number “1”. Here, on the page of FIG. 4, a path connected to each node from the node to the lower left is referred to as a left path, and a path connected to the node from the node to the lower right is referred to as a right path. I have.
[0029]
Each node is given a node name. The node name of the node that is the root is “root”. In addition, a character string including the same number of characters as the value indicated by the number of layers is given as a node name to nodes belonging to layers lower than layer 1 including layer 1. This character string is generated by arranging the numbers assigned to the route from the root to the node in order from the top. For example, the node names of two nodes belonging to layer 1 are “0” and “1”, respectively. The node names of the four nodes belonging to layer 2 are “00”, “01”, “10”, and “11”, respectively. The node names of the eight nodes belonging to layer 3 are “000”, “001”, “010”, “011”,..., “101”, “110”, and “111”. The node names of the 16 nodes belonging to layer 4 are “0000”, “0001”, “0010”, “0011”,..., “1100”, “1101”, “1110”, and “1111”. ".
[0030]
(Tree structure table D100)
The tree structure table D100 is configured to include the same number of node information as the nodes included in the tree structure T100, and each node information corresponds to each node configuring the tree structure T100.
Each node information includes a node name, a device key, and a revocation flag.
[0031]
The node name is a name for identifying a node corresponding to the node information. The device key is a key assigned to a node corresponding to the node information.
The revocation flag is a flag indicating whether or not the device key corresponding to the node information has been revoked. When the revocation flag is “0”, it indicates that the device key has not been revoked. When the invalidation flag is “1”, it indicates that the invalidation has been performed.
[0032]
Each node information is stored in the tree structure table D100 in the order according to the following order rule 1. The order rule 1 shown here is applied even when each node information is sequentially read from the tree structure table D100 by the recording devices 300a, 300b, 300c,..., The reproducing devices 400a, 400b, 400c,. Is done.
[0033]
(A) In the tree structure table D100, node information corresponding to nodes belonging to each layer is stored in ascending order of the number of layers of the tree structure T100. Specifically, in the tree structure table D100, one piece of node information corresponding to one route belonging to layer 0 is first stored, and then two nodes corresponding to two nodes belonging to layer 1 are stored. Pieces of node information are stored, and then four pieces of node information corresponding to the four nodes belonging to layer 2 are stored. The same applies hereinafter.
[0034]
(B) For nodes belonging to each layer, corresponding node information is stored in ascending order of node names identifying each node.
Specifically, each node information is stored in the tree structure table D100 shown in FIG. 3 in the following order.
"Route", "0", "1", "00", "01", "10", "11", "000", "001", "010", "011", ..., "101" , "110", "111", "0000", "0001", "0010", "0011", ..., "1100", "1101", "1110", "1111"
Here, the order in which each node information is stored is indicated by the node name included in each node information.
[0035]
(2) Tree structure construction unit 101
The tree structure construction unit 101 constructs a data structure of an n-ary tree for managing device keys as described below, and stores the constructed tree structure in the tree structure storage unit 102. Here, n is an integer of 2 or more, and as an example, n = 2.
The tree structure construction unit 101 first generates node information including “root” as a node name, and writes the node information to the tree structure table of the tree structure storage unit 102.
[0036]
Next, the tree structure construction unit 101 generates node names “0” and “1” for identifying two nodes with respect to layer 1, and generates two node names including the generated node names “0” and “1”, respectively. Is generated, and the generated two pieces of node information are added in this order to the tree structure table of the tree structure storage unit 102 and written.
Next, the tree structure construction unit 101 generates node names “00”, “01”, “10”, and “11” for identifying four nodes for layer 2, and generates the generated node names “00”, Four pieces of node information including “01”, “10”, and “11” are generated, and the generated four pieces of node information are added to the tree structure table of the tree structure storage unit 102 in this order. And write.
[0037]
Thereafter, the tree structure construction unit 101 performs the generation of the node information and the writing to the tree structure table for the layers 3 and 4 in this order in the same manner as described above.
Next, the tree structure construction unit 101 generates a device key using a random number for each node of the tree structure, and writes the generated device key in the tree structure table in association with each node.
[0038]
(3) Device key assignment unit 103
The device key assignment unit 103 appropriately associates a leaf to which a user device is not assigned with a user device to which a device key is to be assigned from the tree structure stored in the tree structure storage unit 102 as described below. Device key, and outputs the selected device key to the user device.
[0039]
The device key assignment unit 103 has a 4-bit variable ID.
The device key assignment unit 103 repeats the following processes (a) to (f) 16 times. In each of the 16 repetitions, the variable ID holds a value of “0000”, “0001”, “0010”,..., “1110”, “1111”. By repeating 16 times, the device key assignment unit 103 assigns ID information and 5 device keys to each of the 16 user devices.
[0040]
(A) The device key assignment unit 103 acquires node information including the node name of “root” from the tree structure table of the tree structure storage unit 102, and extracts a device key included in the acquired node information. The extracted device key is the device key assigned to the root.
(B) The device key assignment unit 103 acquires, from the tree structure table of the tree structure storage unit 102, node information including the node name consisting of the first one bit of the variable ID, and acquires the device key included in the acquired node information. Extract. Here, the extracted device key is referred to as a device key A.
[0041]
(C) The device key assignment unit 103 acquires node information including a node name consisting of the first two bits of the variable ID from the tree structure table of the tree structure storage unit 102, and assigns the device key included in the acquired node information. Extract. Here, the extracted device key is referred to as a device key B.
(D) The device key assignment unit 103 acquires node information including a node name consisting of the first three bits of the variable ID from the tree structure table of the tree structure storage unit 102, and assigns a device key included in the acquired node information to the node information. Extract. Here, the extracted device key is referred to as a device key C.
[0042]
(E) The device key assignment unit 103 acquires, from the tree structure table included in the tree structure storage unit 102, node information including a node name including the first 4 bits of the variable ID, and acquires the device key included in the acquired node information. Extract. Here, the extracted device key is referred to as a device key D.
(F) The device key assignment unit 103 stores the variable ID as ID information, the device key assigned to the root, the device keys A, B, C, D assigned to each node, and the five device keys. The five device key identification information items to be identified are written to the key information storage unit of the user device.
[0043]
In this way, the key information storage unit of each user device stores the ID information, the five device key identification information, and the five device keys as shown as an example in FIG. Here, the five device key identification information and the five device keys are associated with each other. Each device key identification information is the number of layers (layer number) to which the node to which the corresponding device key is assigned belongs.
[0044]
As described above, the ID information and the five device keys are assigned to each of the 16 user devices.
As an example, as described above, the tree structure T100 illustrated in FIG. 4 is a binary tree having five layers, and includes 16 leaves. Here, it is assumed that there are 16 user devices, and each of the 16 user devices corresponds to 16 leaves. Each user device is provided with a device key assigned to a node located on a path from a corresponding leaf to a root in the tree structure T100. For example, the user device 1 is given five device keys of IK1, KeyH, KeyD, KeyB, and KeyA. Further, for example, the user device 1 is provided with ID information “0000”, and the user device 14 is provided with ID information “1101”.
[0045]
(4) Invalidation device designation unit 104
The revocation device specifying unit 104 receives one or more pieces of ID information for identifying one or more user devices to be revoked from the operation manager of the key management device 100, and transmits the received ID information to the tree structure updating unit 105. Output to
(5) Tree structure updating unit 105
The tree structure updating unit 105 receives one or more pieces of ID information from the invalidation device specifying unit 104. Upon receiving the ID information, the following processes (a) to (d) are repeated for each of the received one or more pieces of ID information.
[0046]
(A) The tree structure update unit 105 acquires node information including the received ID information as a node name from the tree structure table of the tree structure storage unit 102, and adds an invalidation flag “1” to the acquired node information. Then, the node information to which the invalidation flag “1” is added is overwritten on the tree structure table at the position where the acquired node information is stored.
[0047]
(B) The tree structure updating unit 105 acquires node information including the first three bits of the received ID information as a node name from the tree structure table of the tree structure storage unit 102, and acquires the acquired node information in the same manner as described above. To the tree structure table by adding an invalidation flag “1” to the table.
(C) The tree structure updating unit 105 acquires node information including the first two bits of the received ID information as a node name from the tree structure table of the tree structure storage unit 102, and acquires the acquired node information in the same manner as described above. To the tree structure table by adding an invalidation flag “1” to the table.
[0048]
(D) The tree structure updating unit 105 acquires node information including “root” as a node name from the tree structure table of the tree structure storage unit 102, and adds an invalidation flag “ "1" is added to overwrite the tree structure table.
As described above, based on the ID information received from the invalidation device specifying unit 104, the tree structure updating unit 105 determines, based on the ID information received from the leaf indicated by the received ID information, everything existing on the path from the leaf indicated by the received ID information to the node. Invalidate the node.
[0049]
In the tree structure T100 illustrated in FIG. 4, when it is assumed that the user devices indicated by the ID information “0000”, “1010”, and “1011” are invalidated, the tree structure in which the nodes are invalidated as described above. T200 is shown in FIG.
The tree structure table D100 has an invalidation flag added corresponding to the tree structure T200.
[0050]
In the tree structure T200, all nodes existing on the path from the leaf corresponding to the user device 1 indicated by the ID information “0000” to the root, from the leaf corresponding to the user device 11 indicated by the ID information “1010” to the root , All nodes existing on the path from the leaf to the root corresponding to the user device 12 indicated by the ID information “1011” are marked with “X”. Indicates a disabled node.
[0051]
In the tree structure table D100, an invalidation flag is added to the node information corresponding to the invalidated node.
(6) Key information header generator 106
The key information header generation unit 106 has a variable i indicating the number of layers and a variable j indicating the name of a node included in the layer.
[0052]
The key information header generation unit 106 repeats the following process (a) for the number of layers included in the tree structure. In each of the repetitions for the number of layers, the variable i indicating the number of layers holds values of “0”, “1”, “2”, and “3”.
(A) The key information header generation unit 106 repeats the following processes (a-1) to (a-3) for each node by the number of all nodes included in the layer whose number of layers is indicated by the variable i. . Here, a target node name to be subjected to the processes (a-1) to (a-3) is indicated by a variable j.
[0053]
(A-1) The key information header generation unit 106 acquires node information including a node name obtained by joining “0” to a variable j from the tree structure table of the tree structure storage unit 102, The node information including the node name obtained by combining “1” is obtained.
The two pieces of node information thus obtained correspond to the two lower nodes connected immediately below the target node indicated by the variable j.
[0054]
(A-2) The key information header generation unit 106 checks whether or not both of the invalidation flags included in each of the two pieces of acquired node information are “0”, and if both are “0”, , The two invalidation flags included in each of the obtained two pieces of node information are arranged in the order in which the two pieces of node information are stored in the tree structure table, and the node invalidation is performed. Pattern (Node Revocation)
Pattern, hereinafter, referred to as NRP. ).
[0055]
Specifically, if the invalidation flags included in each of the two pieces of acquired node information are “0” and “0”, no node invalidation pattern is generated.
If the invalidation flags included in each of the two pieces of acquired node information are “1” and “0”, NRP {10} is generated.
[0056]
If the invalidation flags included in each of the two pieces of acquired node information are “0” and “1”, NRP {01} is generated.
When the invalidation flags included in each of the two pieces of acquired node information are “1” and “1”, NRP {11} is generated.
(A-3) The key information header generation unit 106 outputs the generated NRP to the key information recording device 200.
[0057]
As described above, the key information header generation unit 106 checks, for each node in the tree structure layer, whether two lower nodes directly connected to the lower side of the node are invalidated. If one of the two lower nodes is invalidated, the NRP is generated as described above. In the tree structure T200 shown in FIG. 5, NRPs generated corresponding to the nodes are shown near nodes marked with a cross.
[0058]
In addition, since the key information header generation unit 106 outputs the NRP in the above-described repetition, in the case shown in FIG. 5, a plurality of NRPs shown as an example in FIG. 6 are generated and output. The key information header generator 106 outputs the plurality of NRPs as header information.
In the tree structure T200 illustrated in FIG. 5, the user device 1, the user device 11, and the user device 12 are each invalidated. Here, nodes existing on the route from the leaf corresponding to each user device to be invalidated to the root (nodes marked with a cross in FIG. 5) are referred to as invalidated nodes. In addition, the case where the child node of one node is an invalidation node is represented by “1”, and the case where it is not the case is represented by “0”. It is. The NRP is n-bit information in the case of an n-ary tree. Regarding the root T201 of the tree structure T200 in FIG. 5, the NRP is expressed as {11} because both the child nodes are invalidation nodes. The NRP assigned to the node T202 is expressed as {10}. Also, although the node T203 is an invalidated node, it is a leaf having no child node, and thus no NRP is added.
[0059]
As shown as an example in FIG. 6, the header information D200 is composed of NRP {11}, {10}, {10}, {10}, {01}, {10}, {11}. Include in order.
Note that the positions where the plurality of NRPs are stored in the header information D200 are determined. This position is determined by the above repetition. As shown in FIG. 6, NRP {11} at positions determined by “0”, “1”, “2”, “3”, “4”, “5” and “6” in the header information D200, respectively. , {10}, {10}, {10}, {01}, {10}, {11}.
[0060]
As described above, the key information header generation unit 106 extracts one or more NRPs of the invalidation node, and outputs the extracted NRP to the key information recording device 200 as header information of the key information. At this time, the key information header generation unit 106 arranges a plurality of NRPs in order of level. That is, a plurality of NRPs are arranged in order from an upper layer to a lower layer, and NRPs having the same layer are arranged in order from left to right. Note that the arrangement of the NRPs may be based on a certain rule. For example, when the layers are the same, the NRPs may be arranged in order from right to left.
[0061]
(7) Key information generation unit 107
The key information generation unit 107 has a variable i indicating the number of layers and a variable j indicating the name of a node included in the layer, similarly to the key information header generation unit 106.
The key information generation unit 107 repeats the following process (a) for the number of layers except for the layer 0 included in the tree structure. In each of the repetitions for the number of layers, the variable i indicating the number of layers holds the values of “1”, “2”, and “3”.
[0062]
(A) The key information generation unit 107 repeats the following processes (a-1) to (a-3) for each node by the number of all nodes included in the layer whose number is indicated by the variable i. Here, a target node name to be subjected to the processes (a-1) to (a-3) is indicated by a variable j.
(A-1) The key information generation unit 107 acquires node information including the variable j as a node name from the tree structure table of the tree structure storage unit 102, and sets the invalidation flag included in the acquired node information to “1”. ”Or“ 0 ”.
[0063]
(A-2) When the invalidation flag is “0”, the key information generation unit 107 further determines whether or not encryption has been performed with the device key corresponding to the upper node connected to the target node. Judge.
(A-3) When the encryption has not been performed, the key information generation unit 107 extracts the device key included in the acquired node information, applies the encryption algorithm E1, and uses the extracted device key. Then, the generated media key is encrypted to generate an encrypted media key.
[0064]
Encrypted media key = E1 (device key, media key)
Here, E (A, B) indicates that the data B is encrypted using the key A by applying the encryption algorithm E.
Further, the encryption algorithm E1 is, for example, DES (Data Encryption Standard).
[0065]
Next, the key information generation unit 107 outputs the generated encrypted media key to the key information recording device 200.
When the invalidation flag “1” is added or when encryption is performed, the process (a-3) is not performed.
As described above, the key information generation unit 107 outputs the encrypted media key in the above-described repetition. Therefore, in the case shown in FIG. 5, a plurality of encrypted media shown in FIG. A key is generated and output. The key information generation unit 107 outputs the plurality of encrypted media keys as key information D300.
[0066]
Note that the positions where the plurality of encrypted media keys are stored in the key information D300 are determined. This position is determined by the above repetition. As shown in FIG. 7, at positions determined by “0”, “1”, “2”, “3” and “4” in the key information D300, the encrypted media key E1 (KeyE, media key), E1 (KeyG, media key), E1 (KeyI, media key), E1 (KeyL, media key), and E1 (IK2, media key) are arranged.
[0067]
1.1.2 Key Information Recording Device 200
The key information recording device 200 receives header information from the key information header generation unit 106, receives key information from the key information generation unit 107, and writes the received header information and key information to the recording medium 500a.
1.1.3 Recording media 500a, b, c
The recording medium 500a is a recordable medium such as a DVD-RAM, on which no information has been recorded.
[0068]
The recording medium 500b is obtained by writing the key information with the header information added thereto by the key management device 100 and the key information recording device 200 as described above.
The recording medium 500c has the encrypted content written on the recording medium 500b by any of the recording devices 300a, 300b, 300c,... As described above.
[0069]
As shown in FIG. 8, the recording medium 500c records key information to which header information is added and encrypted content.
1.1.4 Recording Devices 300a, 300b, 300c,...
As shown in FIG. 8, the recording device 300a includes a key information storage unit 301, a decryption unit 302, a specification unit 303, an encryption unit 304, and a content storage unit 305. Since the recording devices 300b, 300c,... Have the same configuration as the recording device 300a, their description is omitted.
[0070]
The recording device 300a is specifically configured to include a microprocessor, a ROM, a RAM, and the like, and the RAM stores a computer program. The recording device 300a achieves its functions by the microprocessor operating according to the computer program.
A recording medium 500b is mounted on the recording device 300a. The recording device 300a analyzes the header information stored in the recording medium 500b based on the ID information stored therein, and specifies the position of the encrypted media key to be decrypted and the device key to be used. Then, decryption is performed using the specified device key to obtain a media key. Next, the digital content is encrypted using the obtained media key, and the encrypted content is recorded on the recording medium 500b.
[0071]
(1) Key information storage unit 301
The key information storage unit 301 includes an area for storing ID information, five device keys, and five device key identification information for identifying the five device keys, respectively.
(2) Identifying unit 303
The specifying unit 303 operates on the assumption that the key information header generation unit 106 included in the key management device 100 generates the header information of the key information according to the above-described order rule 1.
[0072]
The identification unit 303 reads out the ID information from the key information storage unit 301. The header information and the key information are read from the recording medium 500b. Next, the identification unit 303 sequentially examines the header information from the upper level using the read ID information and the read header information, thereby determining the position where one encrypted media key exists from the key information. X and data key identification information for identifying a device key used for decrypting the encrypted media key. The detailed operation for specifying the position X where the encrypted media key exists and the device key identification information will be described later.
[0073]
Next, the identification unit 303 outputs the identified one encrypted media key and the determined one device key identification information to the decryption unit 302.
(3) Decoding section 302
The decryption unit 302 receives one encrypted media key and one device key identification information from the identification unit 303. When one encrypted media key and one device key identification information are received, the device key identified by the received device key identification information is read out from the key information storage unit 301 and read out by applying the decryption algorithm D1. The received media key is decrypted using the device key to generate a media key.
[0074]
Media key = D1 (device key, encrypted media key)
Here, D (A, B) means that the decryption algorithm D is applied, the encrypted data B is decrypted using the key A, and the original data is generated.
The decryption algorithm D1 corresponds to the encryption algorithm E1, and is an algorithm for decrypting data encrypted by applying the encryption algorithm E1.
[0075]
Next, the decryption unit 302 outputs the generated media key to the encryption unit 304.
Each block illustrated in FIG. 8 is connected to another block by a connection line. However, some connection lines are omitted. Here, each connection line indicates a path through which signals and information are transmitted. In addition, among the plurality of connection lines connected to the block indicating the decryption unit 302, those having a key mark on the connection line indicate a path through which information as a key is transmitted to the decryption unit 302. . The same applies to the block indicating the encryption unit 304. The same applies to other drawings.
[0076]
(4) Content storage unit 305
The content storage unit 305 stores content that is a literary work such as digitized music.
(5) Encryption unit 304
The encryption unit 304 receives the media key from the decryption unit 302 and reads out the content from the content storage unit 305. Next, the encryption unit 304 applies the encryption algorithm E2, encrypts the read content using the received media key, and generates encrypted content.
[0077]
Encrypted content = E2 (media key, content)
Here, the encryption algorithm E2 is, for example, an encryption algorithm based on DES.
Next, the encryption unit 304 writes the generated encrypted content to the recording medium 500b. Thus, the recording medium 500c on which the encrypted content is written is generated.
[0078]
1.1.5 Playback devices 400a, 400b, 400c, ...
As shown in FIG. 9, the playback device 400a includes a key information storage unit 401, a specification unit 402, a decryption unit 403, a decryption unit 404, and a playback unit 405. Since the playback devices 400b, 400c,... Have the same configuration as the playback device 400a, description thereof will be omitted.
[0079]
The playback device 400a specifically includes a microprocessor, a ROM, a RAM, and the like, and a computer program is stored in the RAM. The playback device 400a achieves its functions by the microprocessor operating according to the computer program.
Here, the key information storage unit 401, the identification unit 402, and the decryption unit 403 have the same configurations as the key information storage unit 301, the identification unit 303, and the decryption unit 302 included in the recording device 300a, respectively. Therefore, the description is omitted.
[0080]
The recording medium 500c is mounted on the playback device 400a. The playback device 400a analyzes the header information stored in the recording medium 500c based on the ID information stored therein, and specifies the position of the encrypted media key to be decrypted and the device key to be used. Then, decryption is performed using the specified device key to obtain a media key. Next, the reproducing device 400a uses the obtained media key to decrypt the encrypted content recorded on the recording medium 500c and reproduce the content.
(1) Decoding unit 404
The decryption unit 404 receives the media key from the decryption unit 403, reads the encrypted content from the recording medium 500c, applies the decryption algorithm D2, and decrypts the read encrypted content using the received media key. , And outputs the generated content to the reproducing unit 405.
[0081]
Content = D2 (media key, encrypted content)
Here, the decryption algorithm D2 corresponds to the encryption algorithm E2, and is an algorithm for decrypting data encrypted by applying the encryption algorithm E2.
(2) Reproduction unit 405
The reproduction unit 405 receives the content from the decryption unit 404 and reproduces the received content. For example, when the content is music, the reproducing unit 405 converts the content into sound and outputs the sound.
[0082]
1.2. Operation of copyright protection system 10
The operation of the copyright protection system 10 will be described.
1.2.1 Device key allocation, recording medium generation, and content encryption or decryption operations
Here, the operation of assigning a device key to a user device, the operation of generating key information and writing it on a recording medium, and the operation of encrypting or decrypting content by the user device will be described with reference to the flowchart shown in FIG. In particular, the operation of each device until the device key is exposed by an unauthorized third party will be described.
[0083]
The tree structure construction unit 101 of the key management device 100 generates a tree structure table representing the tree structure, writes the generated tree structure table into the tree structure storage unit 102 (step S101), and then, for each node of the tree structure. A device key is generated, and the generated device key is written in the tree structure table in association with each node (step S102). Next, the device key assignment unit 103 outputs the device key, the device key identification information, and the ID information to the corresponding user device (Steps S103 to S104). The key information storage unit of the user device receives the device key, the device key identification information, and the ID information (Step S104), and records the received device key, the device key identification information, and the ID information (Step S111).
[0084]
In this way, a user device recording the device key, the device key identification information, and the ID information is produced, and the produced user device is sold to the user.
Next, the key information generation unit 107 generates a media key (Step S105), generates key information (Step S106), and outputs the generated key information to the recording medium 500a via the key information recording device 200 ( Steps S107 to S108), the recording medium 500a records the key information (step S121).
[0085]
In this manner, the recording medium 500b on which the key information is recorded is generated, and the generated recording medium 500b is distributed to users by selling or the like.
Next, the recording medium in which the key information is recorded is mounted on the user device, and the user device reads the key information from the recording medium (step S131), and is assigned to the user device itself using the read key information. The encrypted media key is identified (step S132), the media key is decrypted (step S133), and the content is encrypted using the decrypted media key and written on the recording medium 500b, or the encrypted content is recorded. The encrypted content is read from the stored recording medium 500c, and the read encrypted content is decrypted using the decrypted media key to generate the content (step S134).
[0086]
As described above, the encrypted content is written on the recording medium 500b by the user device, the encrypted content is read from the recording medium 500c on which the encrypted content is recorded by the user device, decrypted, and the content is reproduced.
Next, an unauthorized third party illegally acquires the device key assigned to the user device by some means. An unauthorized third party distributes the content illegally or produces and sells an unauthorized device imitating a legitimate user device.
[0087]
The operation manager of the key management device 100 or the copyright holder of the content knows that the content is distributed illegally or that an unauthorized device is distributed, and reports that the device key has been leaked. know.
1.2.2 Operation after device key is exposed
Here, after the device key has been exposed by an unauthorized third party, the operation of invalidating nodes in the tree structure corresponding to the exposed device key, the generation of new key information and the writing to the recording medium And the operation of encrypting or decrypting the content by the user device will be described with reference to the flowchart shown in FIG.
[0088]
The revocation device specifying unit 104 of the key management device 100 receives one or more pieces of ID information of one or more user devices to be revoked, and outputs the received ID information to the tree structure updating unit 105 (Step S151). Next, the tree structure update unit 105 receives the ID information, updates the tree structure using the received ID information (step S152), and the key information header generation unit 106 generates the header information and generates the generated header. The information is output to the key information recording device 200 (step S153), the key information generation unit generates a media key (step S154), generates key information (step S155), and stores the generated key information in the key information recording device. 200 (steps S156 to S157), and the recording medium 500a records the key information (step S161).
[0089]
In this way, the recording medium 500b on which the new key information is recorded is generated, and the generated recording medium 500b is sold or distributed to users.
Next, the recording medium on which the new key information is recorded is mounted on the user device, and the user device reads the key information from the recording medium (step S171), and uses the read key information to send the key information to the user device itself. The assigned encrypted media key is specified (step S172), the media key is decrypted (step S173), and the content is encrypted and written to the recording medium 500b using the decrypted media key, or the encrypted content is recorded. The encrypted content is read out from the recorded recording medium 500c and decrypted using the decrypted media key to generate the content (step S174).
[0090]
As described above, the encrypted content is written on the recording medium 500b by the user device, or the encrypted content is read from the recording medium 500c on which the encrypted content is recorded and decrypted by the user device to reproduce the content.
1.2.3 Operation to build and store tree structure
Here, the operation of generating the tree structure table by the tree structure construction unit 101 and writing the tree structure table into the tree structure storage unit 102 will be described using the flowchart shown in FIG. The operation described here is the details of step S101 in the flowchart shown in FIG.
[0091]
First, the tree structure construction unit 101 generates node information including “root” as the node name, and writes the node information to the tree structure table of the tree structure storage unit 102 (step S191).
Next, the tree structure construction unit 101 repeats the following steps S193 to S194 for the layer i (i = 1, 2, 3, 4).
[0092]
The tree structure construction unit 101 generates 2i character strings as node names (step S193), and sequentially writes node information including the generated 2i character strings as node names in the tree structure table (step S194).
1.2.4 Operation of outputting device key and ID information to each user device
Here, an operation of outputting a device key and ID information to each user device by the device key assignment unit 103 will be described with reference to a flowchart shown in FIG. The operation described here is the details of step S103 in the flowchart shown in FIG.
[0093]
The device key assignment unit 103 changes the variable IDs to “0000”, “0001”, “0010”,..., “1110”, “1111”, and for each variable ID, the following step S222 To S227 are repeated.
The device key assignment unit 103 acquires the device key assigned to the root (step S222), acquires the device key A assigned to the node having the first bit of the variable ID as the node name (step S223), The device key B assigned to the node having the first two bits of the ID as the node name is obtained (step S224), and the device key C assigned to the node having the first three bits of the variable ID as the node name is obtained (step S224). In step S225, a device key D assigned to a node having the first 4 bits of the variable ID as a node name is obtained (step S226), and a variable ID as ID information, a device key assigned to a root, and a device key assigned to each node are obtained. The device keys A, B, C, and D are output to the user device (step S227).
[0094]
1.2.5 Tree structure update operation
Here, the operation of updating the tree structure by the tree structure update unit 105 will be described using the flowchart shown in FIG. The operation described here is the details of step S152 in the flowchart shown in FIG.
The tree structure updating unit 105 repeats the following steps S242 to S246 for each of the one or more pieces of ID information received from the invalidation device specifying unit 104.
[0095]
The tree structure updating unit 105 acquires node information including the received ID information as a node name, and adds an invalidation flag “1” to the acquired node information (step S242).
Next, the tree structure updating unit 105 acquires node information including the first three bits of the received ID information as a node name, and adds an invalidation flag “1” to the acquired node information (step S243).
[0096]
Next, the tree structure updating unit 105 acquires node information including the first two bits of the received ID information as a node name, and adds an invalidation flag “1” to the acquired node information (step S244).
Next, the tree structure updating unit 105 acquires node information including the first bit of the received ID information as a node name, and adds an invalidation flag “1” to the acquired node information (step S245).
[0097]
Next, the tree structure updating unit 105 acquires node information including “root” as a node name, and adds an invalidation flag “1” to the acquired node information (Step S246).
1.2.6 Header information generation operation
Here, the operation of generating the header information by the key information header generation unit 106 will be described using the flowchart shown in FIG. The operation described here is the details of step S153 in the flowchart shown in FIG.
[0098]
The key information header generation unit 106 repeats steps S262 to S266 for each layer from layer 0 to layer 3. Further, the key information header generation unit 106 repeats steps S263 to S265 for each target node included in each layer.
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S263), and adds an invalidation flag to each of the two selected lower nodes. It is checked whether or not the NRP is present (step S264), and the generated NRP is output (step S265).
[0099]
1.2.7 Key information generation operation
Here, the operation of generating key information by key information generating section 107 will be described using the flowchart shown in FIG. The operation described here is the details of step S155 in the flowchart shown in FIG.
The key information generation unit 107 repeats steps S282 to S287 for each layer from layer 1 to layer 3. Further, the key information generation unit 107 repeats steps S283 to S286 for each target node included in each layer.
[0100]
The key information generation unit 107 determines whether or not the target node has the invalidation flag “1”. If the invalidation flag “1” has not been added (step S283), it is further determined whether or not encryption has been performed with the device key corresponding to the upper node connected to the target node. If the encryption has not been performed (step S284), the device key corresponding to the target node is obtained from the tree structure table (step S285), and the generated media key is encrypted using the obtained device key. An encrypted media key is generated, and the generated encrypted media key is output (step S286).
[0101]
When the invalidation flag “1” is added (step S283) or when encryption is performed (step S284), steps S285 to S286 are not performed.
1.2.8 Specific operation of key information
Here, an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a will be described using a flowchart illustrated in FIG. The operation described here is the details of step S172 in the flowchart shown in FIG.
[0102]
In addition, the operation of the specifying unit 402 included in the playback device 400a is the same as the operation of the specifying unit 303, and thus the description is omitted.
The specifying unit 303 includes a variable X indicating the position of the encrypted media key, a variable A indicating the position of the NRP related to the user device itself, a variable W indicating the number of NRPs in a certain layer, and a value indicating the number of layers in the tree structure. D. Here, an NRP (Node Revolution Pattern, hereinafter referred to as NRP) related to the user device itself is a node existing on a path from a leaf assigned to the user device to a root in a tree structure. 2 shows the NRP of
[0103]
The specifying unit 303 performs analysis from the layer i = 0 to the layer i = D−1 according to the following procedure.
The specifying unit 303 sets variable A = 0, variable W = 1, and variable i = 0 as initial values (step S301).
The variable i is compared with the value D, and when the variable i is larger than the value D (step S302), since the user device has been invalidated, the specifying unit 303 ends the process.
[0104]
When the variable i is smaller than or equal to the value D (step S302), the specifying unit 303 is located at a bit position corresponding to the value of the upper i-th bit of the ID information among the left and right 2 bits forming the A-th NRP. It is checked whether the value B is “0” or “1” (step S303). Here, as shown in FIG. 4, “0” is assigned to the left path and “1” is assigned to the right path in the tree structure, and ID information is configured based on these rules. Therefore, the value “0” of the i-th bit of the ID information corresponds to the left bit of the A-th NRP, and the value “1” of the i-th bit corresponds to the right bit of the A-th NRP.
[0105]
When the value B = 0 (step S303), the specifying unit 303 counts the number of NRPs that are not all “1” among the NRPs checked so far, and substitutes the counted value into a variable X. The variable X thus obtained indicates the position of the encrypted media key. The variable i at this time is device key identification information for identifying a device key (step S307). Next, the specifying unit 303 ends the processing.
[0106]
When the value B = 1 (step S303), the specifying unit 303 counts the number of “1” s of all W NRPs present in the layer i, and substitutes the counted value into a variable W. The variable W thus obtained indicates the number of NRPs existing in the next layer i + 1 (step S304).
Next, the specifying unit 303 counts NRPs from the first NRP in the layer i to the corresponding bit position, and substitutes the counted value into a variable A. Here, the value of the corresponding bit position is not counted. The variable A thus obtained indicates the position of the NRP related to the user device itself among the NRPs of the next layer i + 1 (step S305).
[0107]
Next, the specifying unit 303 calculates a variable i = i + 1 (step S306), then shifts the control to step S302, and repeats the above processing.
1.2.9 Specific example of specific operation of key information
As a specific example, an operation until the user device 14 not invalidated shown in FIG. 5 specifies the encrypted media key using the header information and the key information shown in FIGS. 6 and 7 will be described below. It is assumed that ID information “1101” is assigned to the user device 14 and device keys “KeyA”, “KeyC”, “KeyG”, “KeyN”, and “IK14” are assigned.
[0108]
(Step 1) Since the value of the most significant bit of the ID information “1101” assigned to the user device 14 is “1”, the identifying unit 303 checks the right bit of the first NRP {11} (Step S303). ).
(Step 2) Since the value of the right bit of the first NRP {11} is “1”, the specifying unit 303 continues the analysis (B = 1 in step S303).
[0109]
(Step 3) The identification unit 303 counts the number of “1” in one NRP {11} existing in layer 0. Since the counted value is “2”, it is known that two NRPs exist in the next layer 1 (step S304).
(Step 4) The specifying unit 303 counts the number of “1” of the NRP up to the corresponding bit position. However, the value of the corresponding bit position is not counted. Since the counted value is “1”, the position of the corresponding NRP of the next layer 1 is the first in the layer 1 (step S305).
[0110]
(Step 5) Next, since the value of the second highest bit of the ID information “1101” is “1”, the identifying unit 303 checks the right bit of the first NRP {10} of Layer 1 ( Step S303).
(Step 6) Here, since the value of the right bit of the first NRP {10} of layer 1 is “0”, the identifying unit 303 ends the analysis (B = 0 in step S303).
[0111]
(Step 7) The identification unit 303 counts the number of NRPs that are not all “1” among the NRPs so far. However, the NRP checked last is not counted. Since the counted value is “1”, the position of the encrypted media key is the first in the key information (step S307).
(Step 8) As shown in FIG. 7, the encrypted media key stored in the first position of the key information is E1 (KeyG, media key).
[0112]
The user device 14 holds KeyG. Therefore, the user device 14 can obtain the media key by decrypting the encrypted media key using KeyG.
1.3 Summary
As described above, according to the first embodiment, since a plurality of NRPs are arranged in order of level in the header information of the key information recorded in advance on the recording medium, the key information becomes compact. . Further, the player can efficiently specify the encrypted media key to be decrypted.
[0113]
2. Second embodiment
Here, a second embodiment as a modified example of the first embodiment will be described.
In the first embodiment, as shown in FIG. 18 as an example, there is a possibility that a user device to be invalidated is biased toward a specific leaf in a tree structure. In this case, in the header information of the key information that the key management device 100 writes on the recording medium, the NRP of {11} increases. In the example shown in FIG. 18, since the left half leaf of the tree structure T300 corresponds to all the invalidated devices, the header information in the key information includes 11 NRPs, of which 8 are $ 11 ｝.
[0114]
In the example shown in FIG. 18, since the left half of the tree structure T300 is an invalidated device, if all the nodes below the left node of the layer 1 are invalidated nodes, There is no need to record the corresponding NRP as header information on the recording medium.
Therefore, in the second embodiment, when the invalidated devices are concentrated on a specific leaf in the tree structure, the copyright protection system 10b (shown in the drawing) can reduce the data amount of the header information. No) will be described.
[0115]
As described in the first embodiment, the key management device 100 generates an NRP as the header information of the key information. Here, the key management device 100 adds one bit to the head of the NRP. When the added bit is “1”, it indicates that all the user devices assigned to the descendant nodes of the node are invalidation devices. In FIG. 19, the nodes T401 and T402 have a head bit of “0” because the devices assigned to the descendant nodes of these nodes are not all invalidation devices, and the NRPs are {011}, It is expressed as {010}. Since the devices assigned to the nodes descended from the node T403 are all invalidation devices, the NRP is expressed as {111}. The key management device 100 does not write the NRP for the descendant node of the node T403 on the recording medium.
[0116]
2.1 Configuration of copyright protection system 10b
The work protection system 10b has the same configuration as the work protection system 10. Here, the description will focus on differences from the copyright protection system 10.
In the second embodiment, it is assumed that the user devices 1 to 8 and the user device 12 are respectively invalidated as shown in FIG.
[0117]
2.1.1 Key Management Device 100
The key management device 100 of the copyrighted work protection system 10b has the same configuration as the key management device 100 described in the first embodiment. Here, the difference will be mainly described.
(1) Tree structure storage unit 102
The tree structure storage unit 102 has a tree structure table D400 shown in FIG. 20 as an example, instead of the tree structure table D100.
[0118]
The tree structure table D400 corresponds to the tree structure T400 shown as an example in FIG. 19, and shows a data structure for expressing the tree structure T400.
The tree structure table D400 is configured to include the same number of node information as the nodes included in the tree structure T400, and each node information corresponds to each node configuring the tree structure T400.
[0119]
Each node information includes a node name, a device key, a revocation flag, and an NRP.
The node name, the device key, and the invalidation flag are the same as those described in the first embodiment, and a description thereof will not be repeated.
The NRP is composed of three bits, and the upper one bit indicates that, as described above, all the user devices assigned to the descendants of the node indicated by the corresponding node name are invalidation devices. The lower two bits have the same contents as the NRP described in the first embodiment.
[0120]
(2) Key information header generation unit 106
If the first bit of the NRP is “1”, the key information header generation unit 106 generates an NRP indicating that all user devices assigned to nodes descended from the node are invalidation devices. , And outputs the generated NRP to the key information recording device 200. The details of the generation of the NRP will be described later.
[0121]
The key information header generation unit 106 generates the header information D500 shown in FIG. 21 as an example. The header information D500 includes NRPs {011}, {111}, {010}, {001}, and {001}, and includes each NRP in this order. Also, as shown in this figure, NRPs {011}, {111}, {} at positions determined by “0”, “1”, “2”, “3”, and “4” in the header information D500, respectively. 010}, {001} and {001} are arranged.
[0122]
(3) Key information generation unit 107
The key information generation unit 107 generates, for example, key information D600 shown in FIG. The key information D600 includes three encrypted media keys. The three encrypted media keys are obtained by encrypting the media keys using device keys KeyG, KeyL, and IK11, respectively.
[0123]
The position where each of the plurality of encrypted media keys is stored in the key information D600 is determined. As shown in this figure, at positions defined by “0”, “1” and “2” in the key information D600, the encrypted media key E1 (KeyG, media key), E1 (KeyL, media key) and E1 (IK11, media key) is arranged.
[0124]
2.1.2 Recording device 300a
The recording device 300a has the same configuration as the recording device 300a described in the first embodiment. Here, the difference will be mainly described.
(1) Identifying unit 303
The identification unit 303 identifies the position X where one encrypted media key exists from the key information by sequentially examining the header information from the top using the ID information and the header information. The detailed operation for specifying the position X where the encrypted media key exists will be described later.
[0125]
2.2 Operation of copyright protection system 10b
The operation of the copyright protection system 10b will be described focusing on differences from the operation of the copyright protection system 10.
2.2.1 Operation of generating header information
Here, the operation of generating the header information by the key information header generation unit 106 will be described using the flowcharts shown in FIGS. The operation described here is the details of step S153 in the flowchart shown in FIG.
[0126]
The key information header generation unit 106 repeats steps S322 to S327 for each layer from layer 0 to layer 3. Further, the key information header generation unit 106 repeats steps S323 to S326 for each target node included in each layer.
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S323), and determines whether each of the selected two lower nodes has an invalidation flag. Is generated, an NRP is generated (step S324), an extension bit having a value “0” is added to the head of the generated NRP (step S325), and the NRP added with the extension bit is It is added to the node information corresponding to the node (step S236).
[0127]
When the repetition of steps S321 to S328 is completed as described above, an NRP is added to each node information as in the method described in the first embodiment. Here, a value “0” (1 bit) is added to the head of each NRP. Next, the key information header generation unit 106 repeats steps S330 to S335 for each layer from layer 3 to layer 0. Further, the key information header generation unit 106 repeats steps S331 to S334 for each target node included in each layer.
[0128]
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S331), and determines whether NRP {111} is added to both of the selected two nodes. Find out what. However, if the two selected nodes are leaves, it is checked whether or not both of the selected two nodes have an invalidation flag (step S332).
[0129]
Only if both of the selected two lower nodes have NRP {111}, but if the selected two nodes are leaves, it is invalid for both of the selected two lower nodes. Only when the activation flag is attached (step S333), the key information header generation unit 106 rewrites the first bit of the NRP added to the target node to “1” (step S334).
[0130]
When the repetition of steps S329 to S336 is completed as described above, {111} is added to the upper nodes connected to the two lower nodes to which NRP {111} is added. .
Next, the key information header generation unit 106 repeats steps S338 to S343 for each layer from layer 2 to layer 0. Further, the key information header generation unit 106 repeats steps S339 to S342 for each target node included in each layer.
[0131]
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S339), and determines whether NRP {111} is added to both of the selected two lower nodes. Is checked (step S340).
Only when NRP {111} is added to both of the selected two lower nodes (step S341), key information header generating section 106 generates a tree of the NRP added to each of the selected two lower nodes. It is deleted from the structure table (step S342).
[0132]
Next, the key information header generation unit 106 sequentially reads and outputs the NRPs stored in the tree structure table from the root (step S345).
As described above, when the first bit of the NRP is “1”, an NRP indicating that all the user devices assigned to the descendant nodes of the node are invalidation devices is generated.
[0133]
2.2.2 Specific operation of key information
Here, an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a will be described using a flowchart illustrated in FIG. The operation described here is the details of step S172 in the flowchart shown in FIG.
[0134]
The operation of specifying one encrypted media key by the specifying unit 303 is the same as the operation described in the first embodiment, and the description will focus on the differences.
When the value B = 0 (step S303), the specifying unit 303 counts the number of NRPs whose lower 2 bits are not all “1” among the NRPs checked so far, and substitutes the counted value into a variable X. I do. The variable X thus obtained indicates the position of the encrypted media key (step S307a). Next, the specifying unit 303 ends the processing.
[0135]
When the value B = 1 (step S303), the specifying unit 303 counts the number of “1” of all W NRPs present in the layer i. However, the NRP in which the most significant bit of the NRP is “1” is not counted. The counted value is substituted for a variable W. The variable W thus obtained indicates the number of NRPs existing in the next layer i + 1. (Step S304a).
[0136]
Next, the specifying unit 303 counts the number of “1” s of the NRP up to the corresponding bit position, counting from the first NRP. However, the NRP in which the most significant bit of the NRP is “1” is not counted. The counted value is substituted for a variable A. Here, the value of the corresponding bit position is not counted. The variable A thus obtained indicates the position of the NRP related to the user device itself among the NRPs of the next layer i + 1 (step S305a).
[0137]
2.2.3 Specific example of specific operation of key information
As a specific example, an operation until the user device 10 which has not been revoked shown in FIG. 19 specifies the encrypted media key using the key information shown in FIGS. 21 and 22 will be described below. It is assumed that ID information “1001” is assigned to the user device 10, and device keys “KeyA”, “KeyC”, “KeyF”, “KeyL”, and “IK10” are assigned.
[0138]
(Step 1) Since the value of the most significant bit of the ID information “1001” assigned to the user device 10 is “1”, the specifying unit 303 determines the right bit of the lower two bits of the first NRP {011}. Is checked (step S303).
(Step 2) Since the value of the right bit of the lower two bits of the first NRP {011} is “1”, the specifying unit 303 continues the analysis (B = 1 in step S303).
[0139]
(Step 3) The identification unit 303 counts the number of “1” in the lower two bits of one NRP {011} existing in layer 0. Since the counted value is “2”, it is known that two NRPs exist in the next layer 1 (step S304a).
(Step 4) The identification unit 303 counts the number of “1” in the lower two bits of NRP {011} up to the corresponding bit position. However, the value of the corresponding bit position is not counted. Since the counted value is “1”, the position of the corresponding NRP of the next layer 1 is the first in the layer 1 (step S305a).
[0140]
(Step 5) Next, since the value of the second highest bit of the ID information “1001” is “0”, the specifying unit 303 determines that the lower two bits of the first NRP {010} of layer 1 The left bit is checked (step S303).
(Step 6) Here, since the value of the left bit of the lower two bits of the first NRP {010} of layer 1 is “1”, the specifying unit 303 continues the analysis (at step S303, B = 1).
[0141]
(Step 7) The identification unit 303 counts the number of “1” in the lower two bits of the two NRPs {111} and {010} existing in layer 1. However, the NRP in which the most significant bit of the NRP is “1” is not counted. Since the counted value is “1”, it is known that one NRP exists in the next layer 2 (step S304a).
[0142]
(Step 8) The specifying unit 303 counts the number of “1” s of the NRP up to the corresponding bit position. However, the value of the corresponding bit position is not counted. Since the counted value is “0”, the position of the corresponding NRP of the next layer 2 is the 0th in layer 2 (step S305a).
(Step 9) Next, since the value of the third bit from the high order of the ID information “1001” is “0”, the specifying unit 303 determines whether the low order 2 bits of the 0th NRP {001} of layer 2 The left bit is checked (step S303).
[0143]
(Step 10) Here, since the value of the left bit of the lower 2 bits of the 0th NRP {001} of the layer 2 is “0”, the specifying unit 303 ends the analysis (at step S303, B = 0).
(Step 11) The identification unit 303 counts the number of NRPs whose lower two bits are not all “1” among the NRPs analyzed so far. The NRP checked last is not counted. Since the counted value is “1”, the position of the encrypted media key is the first in the key information (step S307a).
[0144]
(Step 12) From FIG. 22, the encrypted media key stored in the first position of the key information is E1 (KeyL, media key).
The user device 10 holds KeyL. Therefore, the user device 10 can obtain the media key by decrypting the encrypted media key using KeyL.
[0145]
In the second embodiment described above, when all of the user devices existing in descendants of a certain node are invalidation devices, the added bit is set to “1”. However, if there is a tree structure in which the number of leaf layers is different, and if there is no NRP in the descendant of a certain node, the added bit is set to "1" so that it can be used as a flag indicating the end. Can be.
[0146]
3. Third embodiment
In the second embodiment, a bit indicating whether or not all descendants of a certain node are invalidation devices is added to the head of the NRP. It shows how to keep it even lower.
In the third embodiment described below, instead of adding a bit to the NRP, an NRP having a specific pattern {00} is used to determine whether all descendants of one node are invalidation devices. to decide. This focuses on the fact that NRP {00} is not used in all layers except layer 0. The following describes a copyright protection system 10c (not shown) that can further reduce the amount of header information as compared with the second embodiment.
Here, it is assumed that the user devices 1 to 8 and the user device 12 are respectively invalidated as shown in FIG. In the third embodiment, the NRP is as shown in the first embodiment, but when all the user devices descended from a certain node are invalidating devices, the NRP of the node is set to {00}. Express. For the node T501 in FIG. 28, the descendants of the node are all the invalidation devices, so the NRP is expressed as {00}.
[0147]
3.1 Configuration of copyright protection system 10c
The copyrighted work protection system 10c has the same configuration as the copyrighted work protection system 10. Here, the description will focus on differences from the copyright protection system 10.
3.1.1 Key Management Device 100
The key management device 100 of the copyrighted work protection system 10c has the same configuration as the key management device 100 described in the first embodiment. Here, the difference will be mainly described.
[0148]
(1) Key information header generation unit 106
When the NRP is {00}, the key information header generation unit 106 generates an NRP indicating that all the user devices assigned to the descendant nodes of the node are invalidation devices, and generates the generated NRP. Output to the key information recording device 200. The details of the generation of the NRP will be described later.
[0149]
The key information header generation unit 106 generates, for example, header information D700 shown in FIG. The header information D700 is composed of NRP {11}, {00}, {10}, {01}, and {01}, and includes each NRP in this order. Also, as shown in this figure, NRP {11}, {00}, {} at positions determined by “0”, “1”, “2”, “3”, and “4” in the header information D700, respectively. 10}, {01} and {01} are arranged.
[0150]
(2) Key information generation unit 107
The key information generation unit 107 generates, for example, key information D800 illustrated in FIG. The key information D800 includes three encrypted media keys. The three encrypted media keys are obtained by encrypting the media keys using device keys KeyG, KeyL, and IK11, respectively.
[0151]
The position where each of the plurality of encrypted media keys is stored in the key information D800 is determined. As shown in this figure, at positions determined by “0”, “1” and “2” in the key information D800, the encrypted media key E1 (KeyG, media key), E1 (KeyL, media key) and E1 (IK11, media key) is arranged.
[0152]
3.1.2 Recording device 300a
The recording device 300a of the copyrighted work protection system 10c has the same configuration as the recording device 300a described in the first embodiment. Here, the difference will be mainly described.
(1) Identifying unit 303
The identification unit 303 identifies the position X where one encrypted media key exists from the key information by sequentially examining the header information from the top using the ID information and the header information. The detailed operation for specifying the position X where the encrypted media key exists will be described later.
[0153]
3.2 Operation of copyright protection system 10c
The operation of the copyright protection system 10c will be described focusing on differences from the operation of the copyright protection system 10.
3.2.1 Operation of generating header information
Here, the operation of generating the header information by the key information header generation unit 106 will be described using the flowcharts shown in FIGS. The operation described here is the details of step S153 in the flowchart shown in FIG.
[0154]
The key information header generation unit 106 repeats steps S322 to S327 for each layer from layer 0 to layer 3. Further, the key information header generation unit 106 repeats steps S323 to S326a for each target node included in each layer.
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S323), and determines whether each of the selected two lower nodes has an invalidation flag. Is checked to generate an NRP (step S324), and the generated NRP is added to the node information corresponding to the target node in the tree structure table (step S236a).
[0155]
When the repetition of steps S321 to S328 is completed as described above, the NRP is added to each node in the same manner as in the method described in the first embodiment.
Next, key information header generating section 106 repeats steps S330 to S335 for each layer from layer 3 to layer 0. Further, the key information header generation unit 106 repeats steps S331 to S334a for each target node included in each layer.
[0156]
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S331), and determines whether NRP {11} is added to both of the selected two nodes. Find out what. However, if the two selected nodes are leaves, it is checked whether or not both of the selected two nodes have an invalidation flag (step S332).
[0157]
Only if both of the selected two lower nodes have NRP {11}, but if the selected two nodes are leaves, it is invalid for both of the selected two lower nodes. Only when the activation flag is attached (step S333), the key information header generation unit 106 rewrites the NRP added to the target node to {00} (step S334a).
[0158]
When the repetition of steps S329 to S336 is completed as described above, {00} is added to the upper nodes connected to the two lower nodes to which NRP {11} is added. .
Next, the key information header generation unit 106 repeats steps S338 to S343 for each layer from layer 2 to layer 0. Further, the key information header generation unit 106 repeats steps S339 to S342a for each target node included in each layer.
[0159]
The key information header generation unit 106 selects two lower nodes connected immediately below the target node (step S339), and determines whether NRP {00} is added to both of the selected two lower nodes. Is checked (step S340a).
Only when NRP {00} is added to both of the selected two lower nodes (step S341a), the key information header generation unit 106 generates a tree of the NRP added to each of the selected two lower nodes. It is deleted from the structure table (step S342a).
[0160]
Next, the key information header generation unit 106 sequentially reads and outputs the NRPs stored in the tree structure table from the root (step S345).
As described above, when the NRP is {00}, an NRP indicating that all the user devices assigned to the descendant nodes of the node are invalidation devices is generated.
[0161]
3.2.2 Specific operation of key information
Here, an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a will be described with reference to the flowchart illustrated in FIG. The operation described here is the details of step S172 in the flowchart shown in FIG.
[0162]
The operation of specifying one encrypted media key by the specifying unit 303 is the same as the operation described in the first embodiment, and the description will focus on the differences.
When the value B = 0 (step S303), the specifying unit 303 counts the number of NRPs that are not all “1” and the number of NRPs that are not all “0” among the NRPs checked so far. However, only for layer 0, the NRP of all “0” is counted. The counted value is substituted for a variable X. The variable X thus obtained indicates the position of the encrypted media key. The variable i at this time is device key identification information for identifying a device key (step S307b). Next, the specifying unit 303 ends the processing.
[0163]
3.2.3 Specific example of specific operation of key information
As a specific example, an operation until the user device 10 that has not been revoked shown in FIG. 28 specifies an encrypted media key using the key information shown in FIGS. 29 and 30 will be described below. It is assumed that ID information “1001” is assigned to the user device 10, and device keys “KeyA”, “KeyC”, “KeyF”, “KeyL”, and “IK10” are assigned.
[0164]
(Step 1) Since the value of the most significant bit of the ID information “1001” assigned to the user device 10 is “1”, the identification unit 303 checks the right bit of the first NRP {11} (Step S303). ).
(Step 2) Since the value of the right bit of the first NRP {11} is “1”, the specifying unit 303 continues the analysis (B = 1 in step S303).
[0165]
(Step 3) The identification unit 303 counts the number of “1” in one NRP {11} existing in layer 0. Since the counted value is “2”, it is known that two NRPs exist in the next layer 1 (step S304).
(Step 4) The specifying unit 303 counts the number of “1” of the NRP up to the corresponding bit position. However, the value of the corresponding bit position is not counted. Since the counted value is “1”, the position of the corresponding NRP of the next layer 1 is the first in the layer 1 (step S305).
[0166]
(Step 5) Next, since the value of the second highest bit of the ID information “1001” is “0”, the identifying unit 303 checks the left bit of the first NRP {10} of Layer 1 ( Step S303).
(Step 6) Since the value of the left bit of the first NRP {10} of the layer 1 is “1”, the identifying unit 303 continues the analysis (B = 1 in step S303).
[0167]
(Step 7) The identification unit 303 counts the number of “1” s of two NRPs existing in layer 1. Here, NRP {00} is not counted. Since the counted value is “1”, it is known that one NRP exists in the next layer 2 (step S304).
(Step 8) The specifying unit 303 counts the number of “1” s of the NRP up to the corresponding bit position. However, the value of the corresponding bit position is not counted. Since the counted value is “0”, the position of the corresponding NRP of the next layer 2 is the 0th in layer 2 (step S305).
[0168]
(Step 9) Next, since the value of the third bit from the high order of the ID information “1001” is “0”, the identifying unit 303 determines that the low order 2 bits of the 0th NRP {01} of the layer 2 The left bit is checked (step S303).
(Step 10) Here, since the value of the left bit of the lower 2 bits of the 0th NRP {01} of the layer 2 is “0”, the identifying unit 303 ends the analysis (at step S303, B = 0).
[0169]
(Step 11) The identifying unit 303 counts the number of NRPs that are not all “1” among the NRPs analyzed so far. The NRP checked last is not counted. Since the counted value is “1”, the position of the encrypted media key is the first in the key information.
(Step 12) From FIG. 30, the encrypted media key stored at the first position of the key information is E1 (KeyL, media key).
[0170]
The user device 10 holds KeyL. Therefore, the user device 10 can obtain the media key by decrypting the encrypted media key using KeyL.
4. Fourth embodiment
In the first embodiment, a plurality of NRPs are arranged in order from an upper layer to a lower layer, and NRPs having the same layer are arranged in order from left to right.
[0171]
In a fourth embodiment described below, a copyright protection system 10d (not shown) that outputs a plurality of NRPs in another arrangement will be described.
4.1 Configuration of copyright protection system 10d
The copyrighted work protection system 10d has the same configuration as the copyrighted work protection system 10. Here, the description will focus on differences from the copyright protection system 10.
[0172]
4.1.1 Key Management Device 100
The key management device 100 of the copyrighted work protection system 10d has the same configuration as the key management device 100 described in the first embodiment. Here, the difference will be mainly described.
(1) Tree structure storage unit 102
The tree structure storage unit 102 is specifically composed of a hard disk unit, and has a tree structure table D1000 as shown as an example in FIG.
[0173]
The tree structure table D1000 corresponds to the tree structure T600 shown as an example in FIG. 36, and shows a data structure for expressing the tree structure T600. As will be described later, a data structure for expressing the tree structure T600 by the tree structure construction unit 101 is generated as a tree structure table D1000 and written to the tree structure storage unit 102.
(Tree structure T600)
As shown in FIG. 36, the tree structure T600 is a binary tree including five layers from layer 0 to layer 4, similarly to the tree structure T100.
[0174]
The number of nodes included in each layer of the tree structure T600 is the same as that of the tree structure T100. Also, the numbers assigned to the paths connecting the upper node and the lower node are the same as in the tree structure T100. In the tree structure T600, nodes marked with “x” are invalidated.
The node name of the node that is the root of the tree structure T600 is blank. The node names of the other nodes are set similarly to the tree structure T100.
[0175]
Each node name is represented by four digits. The node name of the root node is composed of four digits of blank characters. The node name “0” is, specifically, a character “0” +1 digit blank character + 1 digit blank character + 1 digit blank character. The node name “00” is a character “0” + a character “0” +1 digit blank character + 1 digit blank character. The node name “101” is a character “1” + character “0” + character “1” + 1-digit blank character. The node name “1111” is a character “1” + a character “1” + a character “1” + a character “1”. The same applies to other node names.
[0176]
In the tree structure T600, {10} or the like added near each node indicates an NRP. The number enclosed by a circle near each node indicates the order in which NRPs are output.
(Tree structure table D1000)
The tree structure table D1000 is configured to include the same number of node information as the nodes included in the tree structure T600, and each node information corresponds to each node configuring the tree structure T600.
[0177]
Each node information includes a node name, a device key, and a revocation flag. The node name, the device key, and the invalidation flag are the same as those in the tree structure table D100, and a description thereof will not be repeated.
Each node information is stored in the tree structure table D1000 in the order according to the order rule 2 shown below. The order rule 2 shown here is applied even when each node information is sequentially read from the tree structure table D1000 by the recording devices 300a, 300b, 300c,..., The reproducing devices 400a, 400b, 400c,. Is done.
[0178]
(A) At the head of the tree structure table D1000, node information corresponding to the root node is stored.
(B) After node information corresponding to one node (referred to as a specific node) is stored in the tree structure table D1000, there are two lower nodes connected to the lower side of the specific node. , The node information is arranged as shown below. Subsequent to the node information corresponding to the specific node, the node information corresponding to the left node and all the nodes connected to the lower nodes of the left node among the two lower nodes is stored. Subsequently, node information corresponding to the right node of the two lower nodes and all nodes connected to the lower nodes of the right node is stored.
[0179]
(C) Within (b), (b) is applied again.
Specifically, each node information is stored in the tree structure table D100 shown in FIG. 37 in the following order.
Blank (indicating the route), “0”, “00”, “000”, “0000”, “0001”, “001”, “0010”, “0011”, “01”, “010”,. , “11”, “110”, “1100”, “1101”, “111”, “1110”, “1111”
(2) Tree structure construction unit 101
The tree structure construction unit 101 constructs an n-ary tree data structure for managing device keys, and stores the constructed tree structure in the tree structure storage unit 102. Here, n is an integer of 2 or more, and as an example, n = 2.
[0180]
The details of the operation of constructing the tree structure by the tree structure construction unit 101 and storing it in the tree structure storage unit 102 will be described later.
Next, the tree structure construction unit 101 generates a device key using a random number for each node of the tree structure, and writes the generated device key in the tree structure table in association with each node.
[0181]
(3) Key information header generator 106
The key information header generation unit 106 generates a plurality of NRPs and outputs the generated NRPs to the key information recording device 200 as header information. The detailed operation of generating the NRP will be described later.
FIG. 38 shows an example of header information generated by the key information header generation unit 106. The header information D900 shown in this figure includes NRP {11}, {11}, {11}, {10}, {01}, {11}, {10}, {10}, {10}, {01}, {11}, and includes each NRP in this order.
[0182]
Note that the positions where the plurality of NRPs are stored in the header information D900 are determined. As shown in this figure, “0”, “1”, “2”, “3”, “4”, “5”, “6”, “7”, “8”, “9” are included in the header information D900. , "10", NRP {11}, {11}, {11}, {10}, {01}, {11}, {10}, {10}, {10}, {01} and {11} are arranged.
[0183]
(4) Key information generation unit 107
The key information generation unit 107 encrypts the media key by using the device key corresponding to the node that has not been revoked in the same order as the order in which the node information is stored in the tree structure table. Is generated, and the generated encrypted media key is output as key information.
[0184]
The key information generation unit 107 generates and outputs the following key information as an example.
The key information includes device keys “IK2”, “IK3”, “IK6”, “IK8”,
The encrypted media key E1 (IK2, media key), E1 (IK3, media key), and E1 (IK6, media key) are generated by encrypting the media key using “KeyL” and “KeyG”, respectively. ), E1 (IK8, media key), E1 (KeyL, media key), and E1 (KeyG, media key). In the key information, at positions determined by “0”, “1”, “2”, “3”, “4”, “5”, and “6”, the encrypted media key E1 (IK2, media key ), E1 (IK3, media key), E1 (IK6, media key), E1 (IK8, media key), E1 (KeyL, media key), and E1 (KeyG, media key).
[0185]
4.1.2 Recording device 300a
The recording device 300a of the copyrighted work protection system 10d has the same configuration as the recording device 300a described in the first embodiment. Here, the difference will be mainly described.
(1) Identifying unit 303
The identification unit 303 identifies the position X where one encrypted media key exists from the key information by sequentially examining the header information from the top using the ID information and the header information. The detailed operation for specifying the position X where the encrypted media key exists will be described later.
[0186]
4.2 Operation of copyright protection system 10d
The operation of the copyright protection system 10d will be described focusing on differences from the operation of the copyright protection system 10.
4.2.1 Operation to build and store tree structure
Here, the operation of generating the tree structure table by the tree structure construction unit 101 and writing the tree structure table into the tree structure storage unit 102 will be described using the flowchart shown in FIG. The operation described here is the details of step S101 in the flowchart shown in FIG.
[0187]
The tree structure construction unit 101 generates node information including a blank node name and writes the node information in the tree structure table (step S401).
Next, the tree structure construction unit 101 repeats the following steps S403 to S404 for layer i (i = 1, 2, 3, 4).
The tree structure construction unit 101 generates 2i character strings as node names. Specifically, when i = 1, 21 = 2 character strings “0” and “1” are generated. When i = 2, 22 = 4 character strings “00”, “01”, “10” and “11” are generated. When i = 3, 23 = 8 character strings “000”, “001”, “010”,..., “111” are generated. When i = 4, 24 = 16 character strings “0000”, “0001”, “0010”, “0011”,..., “1111” are generated (step S403). Next, the tree structure construction unit 101 writes the node information including each of the generated node names into the tree structure table (step S404).
[0188]
Next, the tree structure construction unit 101 rearranges the node information included in the tree structure table in ascending order of the node names, and overwrites the rearranged node information on the tree structure table again (step S406). ).
Thus, a tree structure table D1000 shown as an example in FIG. 37 is generated. The generated tree structure table D1000 includes each node information according to the order rule 2 described above. At this stage, each device key has not yet been recorded in the tree structure table D1000.
[0189]
4.2.2 Operation of generating header information
Here, the operation of generating the header information by the key information header generation unit 106 will be described using the flowcharts shown in FIGS. The operation described here is the details of step S153 in the flowchart shown in FIG.
[0190]
The key information header generation unit 106 attempts to read node information one by one from the tree structure table in order according to the order rule 2 (step S421).
Upon detecting the end of the node information (Step S422), the key information header generation unit 106 shifts the control to Step S427.
If the end of the node information is not detected and the node information is read (step S422), the key information header generation unit 106 determines whether the two nodes connected to the lower side of the target node corresponding to the read node information The information of the two nodes corresponding to the lower nodes of is read out (step S423).
[0191]
If there is a lower node (step S424), the key information header generation unit 106 determines whether both of the two pieces of node information corresponding to the two read lower nodes have an invalidation flag. The NRP is checked to generate an NRP (step S425), and the generated NRP is added to the node information corresponding to the read target node (step S426). Next, the process returns to step S421 to repeat the processing.
[0192]
If there is no lower node (step S424), the process returns to step S421 to repeat the processing.
Next, the key information header generation unit 106 attempts to read node information one by one from the tree structure table in order according to the order rule 2 (step S427).
Upon detecting the end of the node information (step S422), the key information header generation unit 106 ends the processing.
[0193]
If the end of the node information has not been detected and the node information has been read (step S428), the key information header generation unit 106 checks whether or not the read node information has an NRP added thereto. If there is (Step S429), the added NRP is output (Step S430), and the process returns to Step S427 to repeat the processing.
[0194]
When the NRP has not been added (step S429), the key information header generation unit 106 returns to step S427 and repeats the processing.
4.2.3 Specific operation of key information
Here, an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a will be described with reference to the flowchart illustrated in FIG. The operation described here is the details of step S172 in the flowchart shown in FIG.
[0195]
In addition, the operation of the specifying unit 402 included in the playback device 400a is the same as the operation of the specifying unit 303, and thus the description is omitted.
The specifying unit 303 checks whether to check the variable i indicating the bit position of the ID information to be checked, the variable L indicating the layer including the currently checked NRP, the variable X storing the layer of the node at the branch point, and NRP. And a value D indicating the number of layers in the tree structure. Further, it has a pointer A indicating the position of the NRP to be checked.
[0196]
The specifying unit 303 sets variable i = 0, variable L = 0, flag F = 0, variable X = 0, and pointer A = 0 (step S1300).
Next, the specifying unit 303 determines whether or not the variable L is smaller than the number of layers D-1. If the values are larger or equal (step S1301), the specifying unit 303 inputs the last layer number of the variable X for the variable L. The variable X is a last-in first-out variable, and the output value is to be deleted. That is, if the variable X is input in the order of layer 0, layer 2, and layer 3, the first output is the layer 3, the layer 3 is deleted, and the layer 2 is output next (step S1313). ). Next, the process returns to step S1301 to repeat the processing.
[0197]
When the variable L is smaller than the number of layers D-1 (step S1301), the specifying unit 303 determines whether or not the variable i = variable L. If the variable i is not the variable L (step S1302), the specifying unit 303 shifts the control to step S1310.
When the variable i = the variable L (step S1302), the specifying unit 303 further determines whether or not the flag F = 0. If the flag F is not 0 (step S1303), the specifying unit 303 sets the flag F = 0 (step S1309), and the specifying unit 303 shifts the control to step S1310.
[0198]
If the flag F is 0 (step S1303), the specifying unit 303 checks the value B at the corresponding bit position of the A-th NRP according to the value of the upper i-th bit of the ID information, and sets the variable i = i + 1. (Step S1304).
Next, the specifying unit 303 checks whether or not the value B = 1. If the value B is not equal to 1 (step S1305), the specifying unit 303 specifies that the device to which the ID information is assigned is not invalidated. The unit 303 ends the processing.
[0199]
If the value B is 1 (step S1305), it is checked whether or not the variable is ≠ D-1. If the value is not ≠ D-1 (step S1306), the device to which this ID information is assigned is invalidated. The specifying unit 303 terminates the process. Next, if the variable is {D-1} (step S1306), the specifying unit 303 determines whether or not the NRP is {11} and the (i−1) th value of the ID information is “1”. I do. If No (step S1307), the specifying unit 303 shifts the control to step S1310.
[0200]
If Yes (step S1307), the specifying unit 303 sets the flag F = 1 (step S1308), and then sets L = L + 1 (step S1310). If NRP is {11}, the layer number is set to the variable X (Step S1311), A = A + 1 (Step S1312), and the process returns to Step S1310 to repeat the processing.
[0201]
5. Fifth embodiment
In the fourth embodiment, a plurality of NRPs are arranged according to the order rule 2.
In the fifth embodiment described below, a plurality of NRPs are output by arranging according to the order rule 2 in the same manner as the copyright protection system 10d described in the fourth embodiment. Similarly to the copyright protection system 10b described above, when the invalidated devices are concentrated on a specific leaf in the tree structure, the copyright protection system 10e (shown in the drawing) can reduce the data amount of the header information. Not described).
[0202]
5.1 Configuration of copyright protection system 10e
The work protection system 10e has the same configuration as the work protection system 10d. Here, the description will focus on differences from the copyright protection system 10d.
5.1.1 Key Management Device 100
The key management device 100 of the copyrighted work protection system 10e has the same configuration as the key management device 100d described in the fourth embodiment. Here, the difference will be mainly described.
[0203]
(1) Tree structure storage unit 102
The tree structure storage unit 102 has a tree structure table. The tree structure table included in the tree structure storage unit 102 has the same structure as the tree structure table D1000 included in the tree structure storage unit 102 described in the fourth embodiment, and is included in the tree structure table. Each node information further includes an NRP.
[0204]
(2) Key information header generation unit 106
The key information header generation unit 106 generates a plurality of NRPs and outputs the generated NRPs to the key information recording device 200 as header information. Each NRP is composed of 3 bits as described in the second embodiment.
The detailed operation of generating the NRP will be described later.
[0205]
5.1.2 Recording device 300a
The recording device 300a of the copyrighted work protection system 10e has the same configuration as the recording device 300a described in the fourth embodiment. Here, the difference will be mainly described.
(1) Identifying unit 303
The identification unit 303 identifies the position X where one encrypted media key exists from the key information by sequentially examining the header information from the top using the ID information and the header information. The detailed operation for specifying the position X where the encrypted media key exists will be described later.
[0206]
5.2 Operation of copyright protection system 10e
The operation of the copyright protection system 10e will be described focusing on differences from the operation of the copyright protection system 10d.
5.2.1 Operation of generating header information
Here, the operation of generating the header information by the key information header generation unit 106 will be described using the flowcharts shown in FIGS. The operation described here is the details of step S153 in the flowchart shown in FIG.
[0207]
The key information header generation unit 106 attempts to read node information one by one from the tree structure table in order according to the order rule 2 (step S451).
Upon detecting the end of the node information (Step S452), the key information header generation unit 106 transfers the control to Step S458.
If the end of the node information is not detected and the node information is read (step S452), the key information header generation unit 106 determines whether the two nodes connected to the lower side of the target node corresponding to the read node information The node information of the two nodes corresponding to the lower nodes is read out (step S453).
[0208]
When there is a lower node (step S454), the key information header generation unit 106 determines whether or not both of the two pieces of node information corresponding to the two read lower nodes have an invalidation flag. Then, an NRP is generated (step S455), and an extension bit having a value “0” is added to the head of the generated NRP (step S456). It is added to the corresponding node information (step S457). Next, the process returns to step S451 to repeat the processing.
[0209]
If there is no lower node (step S454), the process returns to step S451 to repeat the processing.
Next, the key information header generation unit 106 tries to read node information one by one from the tree structure table in accordance with the order rule 2 (step S458).
Upon detecting the end of the node information (step S459), the key information header generation unit 106 shifts the control to step S465.
[0210]
If the end of the node information has not been detected and the node information has been read (step S459), the key information header generation unit 106 checks all the nodes connected to the lower side of the target node corresponding to the read node information. All node information corresponding to the lower node is read (step S460).
When there is a lower node (step S461), the key information header generation unit 106 checks whether or not all the node information corresponding to all the read lower nodes has an invalidation flag (step S462). ), The head bit of the NRP added to the node information corresponding to the target node is rewritten to “1” only when it is added to all the node information (step S463) (step S464).
[0211]
Next, the process returns to step S458 to repeat the processing.
If there is no lower node (step S461), the process returns to step S458 and repeats the process.
Next, the key information header generation unit 106 tries to read node information one by one from the tree structure table in order according to the order rule 2 (step S465).
[0212]
Upon detecting the end of the node information (step S466), the key information header generation unit 106 shifts the control to step S472.
When the end of the node information has not been detected and the node information has been read (step S466), the key information header generation unit 106 checks all the nodes connected to the lower side of the target node corresponding to the read node information. All node information corresponding to the lower node is read (step S467).
[0213]
If there is a lower node (step S468), the key information header generation unit 106 checks whether or not NRP {111} is added to all the node information corresponding to all the read lower nodes (step S468). Only when it is added to all the node information (step S469), a deletion flag is added to all the node information (step S471).
[0214]
Next, the process returns to step S465 to repeat the processing.
If there is no lower node (step S468), the process returns to step S465 to repeat the processing.
Next, the key information header generation unit 106 tries to read node information one by one from the tree structure table in order according to the order rule 2 (step S472).
[0215]
Upon detecting the end of the node information (step S473), the key information header generation unit 106 ends the processing.
If the end of the node information has not been detected and the node information has been read (step S473), the key information header generation unit 106 checks whether or not the read node information has an NRP added thereto. If the deletion flag is added (step S474), it is further checked whether or not the deletion flag is added. If the deletion flag is not added (step S475), the added NRP is output (step S476). Then, the process returns to step S472 to repeat the processing.
[0216]
When the NRP has not been added (step S474) or when the deletion flag has been added (step S475), the key information header generation unit 106 returns to step S472 and repeats the processing.
5.2.2 Specific operation of key information
Here, an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a will be described using a flowchart illustrated in FIG. The operation described here is the details of step S172 in the flowchart shown in FIG.
[0219]
In addition, the operation of the specifying unit 402 included in the playback device 400a is the same as the operation of the specifying unit 303, and thus the description is omitted.
The description here will focus on the differences from the flowchart shown in FIG.
As in the case of the fourth embodiment, the specifying unit 303 includes a variable i indicating a bit position of ID information to be checked, a variable L indicating a layer including the currently checked NRP, and a layer of a node at a branch point. Has a flag F (initial value, F = 0) for determining whether or not to check the NRP, and has a value D indicating the number of layers in the tree structure. Further, it has a pointer A indicating the position of the NRP to be checked.
[0218]
When the value B = 1 (step S1305), only when the most significant bit of the NRP is “1” (step S1316), the specifying unit 303 sets the variable i = D−1 and the variable L = D−1 (Step S1317).
When the NRP is {11} and the most significant bit of the NRP is not “1”, the specifying unit 303 stores the layer number in a variable X (Step S1311).
[0219]
6. Other modifications
Although the present invention has been described based on the above embodiment, it is needless to say that the present invention is not limited to the above embodiment. The following cases are also included in the present invention.
(1) As an embodiment of the present invention, an invalidation method according to a conventional method has been described as an example, but the present invention is not limited to the above embodiment. A key management device holds a certain tree structure, a recording device or a playback device is assigned to a leaf of the tree structure, and a device key associated with a node is assigned to each recording device or each playback device. If the revocation of the device key and the creation of the key information are performed using this tree structure, what is the method of allocating the device key associated with the node and the method of allocating the device key to each device? It may be something.
[0220]
(2) Also, as an embodiment of the present invention, a tree structure of a binary tree has been described as an example, but the present invention is not limited to a binary tree. Generally, it can also be realized by an n-ary tree. At this time, the ID information is assigned 0 to n-1 for the n paths descending from a certain node, and is assigned on the path from the leaf to the root as in the above-described embodiment. The values are set by concatenating the values in order from the top.
[0221]
(3) In the embodiment of the present invention described above, a recordable medium such as a DVD-RAM has been described. However, pre-recorded media such as DVD-Video can be realized in a similar manner.
The copyright protection system 10f for pre-recorded media will be described.
[0222]
As shown in FIG. 48, the copyright protection system 10f includes a key management device 100, a data recording device 1701, data reproducing devices 1703a, 1703b, 1703c,...
As described in the above embodiment, the key management device 100 outputs the key information to which the header information is added and the content key to the data recording device 1701, and outputs the plurality of device keys, each device key identification information, and the ID. The information is output to the data reproducing devices 1703a, 1703b, 1703c,...
[0223]
The recording medium 500a, which is a pre-recorded medium, is mounted on the data recording device 1701. The data recording device 1701 receives the key information and the media key from the key management device 100, encrypts the content using the media key, generates encrypted content, and records the generated encrypted content and the received key information. Write to medium 500a. Thus, the recording medium 500d in which the encrypted content and the key information are written is produced.
[0224]
The recording medium 500d is distributed in the market, and the user obtains the recording medium 500d. The user attaches the recording medium 500d to the data reproducing device 1703a.
The data reproducing device 1703a has previously received a plurality of device keys, each device key identification information, and ID information from the key management device 100, and when the recording medium 500d is mounted, the key information and the encrypted content from the recording medium 500d. Is read out, the encrypted media key is identified from the key information, the identified encrypted media key is decrypted using the device key, and the encrypted content is decrypted using the obtained media key to generate the content. I do.
[0225]
In such a system as well, by the same operation as the key management device 100 shown in the embodiment, the header information to be recorded on the recording medium is reduced, and the encrypted media key to be efficiently decrypted by each data reproducing device is determined. Can be identified.
(4) In the above, the case where the present invention is used to protect the copyright of digital contents has been described as an example. However, the application of the present invention is not limited to this. It can be used for the purpose of so-called conditional access, which provides information to members other than the members.
[0226]
(5) In the embodiment of the present invention, an example has been shown in which key information or encrypted content is distributed using a recording medium, but a communication medium represented by the Internet is used instead of a recording medium. You may.
(6) The key management device and the key information recording device may be configured as an integrated device.
[0227]
(7) In the above embodiment, device keys are allocated to all nodes constituting the n-ary tree in advance, and all device keys existing on the path from the leaf to the root are used for the leaf. Although it is described that the device key is allocated, the present invention is not limited to such a device key allocation method.
Instead of assigning device keys to all nodes constituting the n-ary tree in advance, device keys may be assigned to only some of the nodes in advance.
[0228]
Also, instead of allocating all device keys existing on the path from the leaf to the root to the use device corresponding to the leaf, a part of all the device keys existing on the path from the leaf to the root is used. May be assigned to the use device.
(8) As an example, assume a tree structure shown in FIG. In an initial state where the device key is not leaked, the media key is encrypted using the device key KeyA, and an encrypted media key is generated.
[0229]
At this time, it is assumed that any one of the user devices 1 to 16 is hacked by a malicious third party, the device key KeyA is exposed, and a clone device having only the device key KeyA therein is manufactured. At this time, since the clone device has only the device key KeyA, it is not possible to specify which of the user devices 1 to 16 is the hacked device. On the other hand, since the clone device has the device key KeyA, it is possible to illegally obtain a correct media key.
[0230]
In such a situation, only the device key KeyA is invalidated, and a media key is used by using a device key that covers all devices, in other words, by using a device key shared by all devices. Must be encrypted. Here, the reason why all the devices are covered is that in such a situation, it is not possible to determine which device the hacked device is.
[0231]
Therefore, the media key is encrypted using the device keys KeyB and KeyC, respectively, to generate two encrypted media keys.
Next, when the device key KeyB is exposed, the device key KeyB is invalidated, and further, the media key is encrypted using each of the device keys KeyC, KeyD, and KeyE to generate three encrypted media keys. I do.
[0232]
When such an operation is repeated for the height of the tree, the hacked device is finally specified.
In order to cope with the situation described above, when invalidating only the device key KeyA, the key management device adds NRP {100} to the node corresponding to the device key KeyA. In the case of the tree structure shown in FIG. 4, NRP {100} is added to the route.
[0233]
A leading bit “1” of NRP {100} indicates that this node is invalidated, and a bit string “00” following the leading bit “1” is connected below this node. Both nodes indicate that they have not been revoked.
That is, in the case of the tree structure shown in FIG. 4, if NRP {100} is added to the root, two media keys generated by encrypting the media key using the device keys KeyB and KeyC are used. An encrypted media key will be present. As described above, the first bit “1” of the NRP can be said to be a flag indicating that there are two encrypted media keys below this node.
[0234]
On the other hand, as described in the second embodiment, the leading bit “1” when the NRP is {111} indicates that there is no NRP below this node.
This will be described in more detail below.
(Key management device 100)
Here, it is assumed that the key management device 100 generates a tree structure T100 shown in FIG. 4, allocates a device key to each node, and allocates a user device to each leaf, as shown in FIG.
[0235]
Thereafter, as illustrated in FIG. 49, the device keys KeyA, KeyB, and KeyE assigned to the root T701, the node T702, and the node T703, respectively, leaked as described above. Then, the device keys KeyA, KeyB, and KeyE are invalidated, header information and key information are generated, and the generated header information and key information are written to a recording medium via the key information recording device 200.
[0236]
(A) Invalidation of device keys KeyA, KeyB and KeyE
The key management device 100 adds an invalidation flag “1” to the node information including the device keys KeyA, KeyB, and KeyE in the tree structure table.
(B) Generation of header information
The key management device 100 generates an NRP {010} to be added to the root T701 by using the tree structure table including the node information to which the invalidation flag is added, and generates the generated NRP {010} as part of the header information. Is written to a recording medium via the key information recording device 200. Here, the leading bit “0” of the NRP indicates that one of the two lower nodes connected immediately below the root T701 is invalidated, and the other is not invalidated. As described in the above embodiment, the lower two bits “10” of the NRP indicate that the left node T702 of the two lower nodes connected immediately below the root T701 is invalidated. The right node T704 indicates that it has not been invalidated.
[0237]
Next, the key management device 100 generates NRP {001} to be added to the node T702, and writes the generated NRP {001} as a part of header information to the recording medium via the key information recording device 200. Here, the first bit “0” of the NRP indicates that one of the two lower nodes connected immediately below the node T702 is invalidated, and the other is not invalidated. The lower two bits “01” of the NRP indicate that the left node T705 is not invalidated and the right node T703 is invalid among the two lower nodes connected immediately below the node T702. It has been shown that
[0238]
Next, the key management device 100 generates an NRP {100} to be added to the node T703, and writes the generated NRP {100} as a part of the header information to the recording medium via the key information recording device 200. As described above, the NRP {100} does not invalidate both of the two lower nodes T706 and T707 connected immediately below the node T703, and these two nodes T706 and T707 have , Respectively, indicates that an encrypted media key exists.
[0239]
Thus, the header information D1000 shown in FIG. 50 is written on the recording medium. As shown in the figure, the header information D1000 includes NRP {010}, {001}, and {100} in this order.
(C) Generation of key information
Next, the key management device 100 generates an encrypted media key by encrypting the media key using some of the device keys that have not been revoked, as described below. The key information including the encrypted media key and the header information including the NRP are written to the recording medium via the key information recording device 200.
[0240]
First, the key management device 100 generates an encrypted media key by encrypting a media key using a device key assigned to a node existing in the highest layer among device keys that have not been revoked. I do. Here, as shown in FIG. 49, among the device keys that have not been revoked, the device key assigned to the node existing in the highest layer is the device key KeyC assigned to the node T704. The key management device 100 encrypts the media key using the device key KeyC, generates an encrypted media key E1 (KeyC, media key), and generates the encrypted media key E1 (KeyC, media key). The data is written to a recording medium via the key information recording device 200.
[0241]
Next, the key management device 100 invalidates the nodes T704 to which the device key KeyC has been allocated and the other nodes except for all nodes lower than the node T704, which have been revoked to these other nodes. A media key is encrypted by using a device key assigned to a node existing in the highest layer among device keys that are not present, and an encrypted media key is generated. Here, since the corresponding node is the node T705, the key management device 100 encrypts the media key using the device key KeyD assigned to the node T705, and encrypts the encrypted media key E1 (KeyD, media key ) Is generated, and the generated encrypted media key E1 (KeyD, media key) is written to the recording medium via the key information recording device 200.
[0242]
Next, the key management device 100 transmits the nodes T704 and all the nodes below the node T704 to which the device key KeyC is assigned, and the nodes T705 and T705 to which the device key KeyD is assigned. For other nodes except for all nodes, the media key is used by using the device key assigned to the node existing in the highest layer among the non-invalidated device keys assigned to these other nodes. To generate an encrypted media key. Here, since the corresponding node is the node T706, the key management device 100 encrypts the media key using the device key KeyJ assigned to the node T706, and encrypts the encrypted media key E1 (KeyJ, media key ) Is generated, and the generated encrypted media key E1 (KeyJ, media key) is written to the recording medium via the key information recording device 200.
[0243]
Next, the key management device 100 encrypts the media key using the device key KeyK assigned to the node t707 in the same manner as described above to generate an encrypted media key E1 (KeyK, media key). The generated encrypted media key E1 (KeyK, media key) is written to the recording medium via the key information recording device 200. In this way, the key information D1010 shown in FIG. 50 is written on the recording medium. As shown in the figure, the key information D1010 includes an encrypted media key E1 (KeyC, media key), E1 (KeyD, media key), E1 (KeyJ, media key), and E1 (KeyK, media key). It is configured to include in order.
[0244]
(Recording device 300a)
FIG. 51 is a flowchart illustrating an operation of specifying one encrypted media key from the header information and the key information stored in the recording medium as described above by the specifying unit 303 included in the recording device 300a. It will be described using FIG.
The specifying unit 303 indicates a variable X indicating the position of the encrypted media key, a variable A indicating the position of the NRP relating to the user device itself, a variable W indicating the number of NRPs in a certain layer, and indicating the number of layers to be processed. It has a variable i.
[0245]
The specifying unit 303 sets variable A = 0, variable W = 1, and variable i = 0 as initial values (step S301).
Next, the specifying unit 303 determines whether the value B at the bit position corresponding to the value of the upper i-th bit of the ID information is “0” or “1” in the lower 2 bits of the A-th NRP. It is checked whether there is (Step S303). Here, as described in the above embodiment, “0” is assigned to the left path and “1” is assigned to the right path in the tree structure shown in FIG. Since the ID information is configured based on the rule, the value “0” of the upper i-th bit of the ID information corresponds to the left bit of the lower 2 bits of the A-th NRP, and the value of the i-th bit “ "1" corresponds to the right bit of the lower two bits of the A-th NRP.
[0246]
Next, when the value B = 0 (step S303), the specifying unit 303 checks each NRP from the first NRP to the last NRP checked as follows. However, the A-th NRP is not included.
(A) When the most significant bit of the NPR is “0” and the lower two bits are not “11”, “1” is added to the variable X.
[0247]
(B) When the most significant bit of the NPR is “1”, the number of “0” included in the lower two bits is added to the variable X.
For the A-th NRP checked last, the number of “0” s up to the corresponding bit position is added to the variable X only when the most significant bit of the NRP is “1”. Here, it is assumed that the corresponding bit itself is not included. The variable X thus obtained indicates the position of the encrypted media key. The variable i at this time is device key identification information for identifying a device key (step S307c). Next, the specifying unit 303 ends the processing.
[0248]
On the other hand, when the value B is 1 (step S303), the specifying unit 303 determines whether the most significant bit of the NRP is not “1” and determines that the most significant bit of the NRP is “1”. If so (step S308), since this user device has been invalidated, the specifying unit 303 ends the process.
When determining that the most significant bit of the NRP is not “1” (step S308), the specifying unit 303 counts the number of “1” included in the lower 2 bits of all W NRPs present in layer i. , And substitute the counted value into a variable W. However, the NPR in which the most significant bit of the NRP is “1” is not counted. The variable W thus obtained indicates the number of NRPs existing in the next layer i + 1 (step S304c).
[0249]
Next, the specifying unit 303 counts the number of “1” included in the lower two bits of the NRP for each NRP from the first NRP among the NRPs existing in the layer i to the corresponding bit position. The value obtained is substituted for the variable A. Here, the value of the corresponding bit position is not counted. NRPs whose most significant bit is “1” are not counted. The variable A thus obtained indicates the position of the NRP of the next layer i + 1 relating to the user device itself (step S305c).
[0250]
Next, the specifying unit 303 calculates a variable i = i + 1 (step S306), then shifts the control to step S303, and repeats the above processing.
As described above, not only when the device key existing on the path from the leaf of the tree structure to the root is invalidated, the device key assigned to some nodes of the tree structure is invalidated. Even in this case, the key management device can write the header information and the key information on the recording medium and the reproducing device can specify the encrypted media key.
[0251]
(9) As an example, suppose the tree structure shown in FIG. 4 is in an initial state in which no device key is leaked, and there is no invalidated node in the tree structure.
In this case, the key management device encrypts the media key using the device key KeyA associated with the root to generate one encrypted media key. Next, the key management device generates one special NRP {00} indicating that there is no invalidated node in the tree structure and all nodes are valid. Next, the key management device writes the generated encrypted media key and the generated NRP {00} to a recording medium via a key information recording device.
[0252]
In this case, the reproducing apparatus reads the NRP from the recording medium, and when determining that the read NRP is only {00} and that the NRP is not recorded on the recording medium, the reproducing apparatus Determines that there is no invalidated node in the tree structure, then reads the encrypted media key recorded on the recording medium, and retrieves the device key stored in the playback device itself. The read-out encrypted media key is decrypted using the device key KeyA associated with the root to generate a media key.
[0253]
In this case, the recording device operates in the same manner as the reproducing device.
7. Sixth embodiment
An authentication system 1000 as still another embodiment according to the present invention will be described.
As shown in FIG. 52, the authentication system 1000 includes a certificate authority device 1100, a manufacturing device 1200, a manufacturing device 1300, a copyrighted work recording device 1400, and a personal computer 1500. The personal computer 1500 includes a drive unit 1600 and a main unit 1900, and the drive unit 1600 and the main unit 1900 are connected via a general-purpose communication path 1020.
[0254]
The drive manufacturer has a manufacturing apparatus 1200 connected to the Internet 1010, and manufactures the drive unit 1600. In the process of manufacturing the drive unit 1600, the manufacturing apparatus 1200 generates a drive secret key and a drive public key corresponding to the drive unit 1600, and writes the generated drive secret key to a storage area that is not accessed from outside the drive unit 1600. , And publish the generated drive public key via the Internet 1010. In addition, the manufacturing apparatus 1200 requests the certificate authority apparatus 1100 of the public key certificate authority to generate a public key certificate via the Internet 1010, and the certificate authority apparatus 1100 responds to the drive public key. A public key certificate to be generated is generated, and the generated public key certificate is transmitted to the manufacturing apparatus 1200 via the Internet 1010. The manufacturing apparatus 1200 acquires a public key certificate corresponding to the drive public key from the certificate authority apparatus 1100, and writes the acquired public key certificate into the drive unit 1600. Next, the drive manufacturer delivers the drive unit 1600 in which the drive secret key and the public key certificate are written to the personal computer manufacturer.
[0255]
The personal computer manufacturer has a manufacturing apparatus 1300 connected to the Internet 1010 and manufactures the main body 1900 of the personal computer 1500. In the process of manufacturing the main body 1900, the manufacturing apparatus 1300 obtains a drive public key published via the Internet 1010, and writes the obtained drive public key into the main body 1900. Next, the personal computer manufacturer connects the supplied drive unit 1600 and the main unit 1900 in which the drive public key is written by connecting the general-purpose communication path 1020 to assemble the personal computer 1500.
[0256]
The produced personal computer 1500 is sold through a dealer, and the user purchases the personal computer 1500.
Here, it is assumed that the set of the drive secret key and the drive public key has been disclosed by an unauthorized third party. In this case, the corresponding public key certificate must be revoked.
[0257]
Upon knowing that the public key certificate should be revoked, the certificate authority apparatus 1100 generates a CRL including a certificate ID for identifying the public key certificate to be revoked, and transmits the generated CRL to the Internet via the Internet 1010. This is transmitted to the copyrighted work recording device 1400 of the product seller. The work recording device 1400 stores a digital work, writes the digital work and the received CRL on the DVD 1800, and sells the DVD 1800 on which the digital work and the CRL are written.
[0258]
The user purchases the DVD 1800 and mounts it on the personal computer 1500.
The main unit 1900 of the personal computer 1500 reads the CRL from the DVD 1800 via the drive unit 1600, acquires the public key certificate from the drive unit 1600, and invalidates the acquired public key certificate using the read CRL. It is determined whether or not it has been performed. If it is determined that the drive unit 1600 has been invalidated, the main body unit 1900 stops using the drive unit 1600. If it is determined that the drive unit 1600 has not been revoked, the main unit 1900 further authenticates the validity of the drive unit 1600 using the drive public key stored therein, and determines that the drive unit 1600 is valid. If authenticated, the digital work is read from the DVD 1800 via the drive unit 1600. If the drive unit 1600 is authenticated as being unauthorized, the main unit 1900 stops reading the digital work from the DVD 1800 via the drive unit 1600.
[0259]
7.1 Configuration of Manufacturing Apparatus 1200
As shown in FIG. 53, the manufacturing apparatus 1200 includes an information storage unit 1201, an input unit 1202, a display unit 1203, a control unit 1204, a writing unit 1205, and a communication unit 1206.
The manufacturing apparatus 1200 is, specifically, a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a communication unit, a display unit, a keyboard, a mouse, and the like. The hard disk unit stores a computer program. The manufacturing apparatus 1200 achieves its functions by the microprocessor operating according to the computer program.
[0260]
As described above, the manufacturing apparatus 1200 is owned by the drive manufacturer. In the process of manufacturing the drive unit 1600, the drive manufacturer connects the manufacturing apparatus 1200 and the drive unit 1600 during manufacture.
(1) Information storage unit 1201
The information storage unit 1201 has a manufacturing information table 1211.
[0261]
As shown as an example in FIG. 53, the manufacturing information table 1211 stores a plurality of pieces of manufacturing information including a manufacturing number, a drive secret key, a drive public key, an expiration date, a public key certificate, and certificate signature data. Area.
Here, the serial number is an identification number for uniquely identifying a drive unit manufactured by a drive manufacturer.
[0262]
The drive secret key is a secret key generated corresponding to the drive unit.
The drive public key is a public key generated corresponding to the drive secret key.
The expiration date includes a start date and an end date of use of the drive private key and the drive public key.
The public key certificate is a certificate generated corresponding to the drive public key, and includes a certificate ID, an expiration date, and a drive public key. The certificate ID is identification information for identifying the public key certificate. The expiration date has the same content as the above expiration date. The drive public key has the same contents as the drive public key.
[0263]
The certificate signature data is signature data generated based on the public key certificate.
(2) Input unit 1202
The input unit 1202 receives the input of the serial number of the drive unit 1600 from the operator of the manufacturing apparatus 1200, further receives the input of the expiration date, and outputs the received serial number and the expiration date to the control unit 1204.
[0264]
(3) Control unit 1204
The control unit 1204 receives the serial number and the expiration date from the input unit 1202. Upon receiving the serial number and the expiration date, the control unit 1204 generates a random number, generates a drive secret key based on the generated random number, and then generates the drive secret key using RSA public key encryption technology. A drive public key is generated based on.
[0265]
Here, the RSA public key encryption technology is well-known, and thus the description is omitted.
Next, the control unit 1204 transmits the generated drive public key, the received expiration date, and a public key certificate issuance request indicating a request to issue a public key certificate via the communication unit 1206 and the Internet 1010 to the certificate authority device. 1100.
[0266]
Next, the control unit 1204 receives the public key certificate and the certificate signature data from the certificate authority device 1100 via the Internet 1010 and the communication unit 1206, and obtains the serial number, drive private key, drive public key, expiration date, The production information including the public key certificate and the certificate signature data is generated, and the generated production information is written in the production information table 1211 of the information storage unit 1200.
[0267]
The control unit 1204 outputs the serial number, the drive secret key, the public key certificate, and the certificate signature data to the writing unit 1205.
Further, the control unit 1204 discloses the serial number and the drive public key via the communication unit 1206 and the Internet 1010.
(4) Writing unit 1205
The writing unit 1205 is connected to an information storage unit 1601 (described later) of the drive unit 1600 by a drive manufacturer.
[0268]
The writing unit 1205 receives the serial number, the drive secret key, the public key certificate, and the certificate signature data from the control unit 1204, and writes the received serial number, the drive secret key, the public key certificate, and the certificate signature data into the drive unit. The data is written in the information storage unit 1601 of the 1600.
(5) Communication unit 1206
The communication unit 1206 is connected to the Internet 1010, and transmits and receives information between an external device connected to the Internet 1010 and the control unit 1204.
[0269]
(6) Display unit 1203
The display unit 1203 displays various information under the control of the control unit 1204.
7.2 Configuration of Manufacturing Apparatus 1300
Like the manufacturing apparatus 1200, the manufacturing apparatus 1300 is a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a communication unit, a display unit, a keyboard, a mouse, and the like. The hard disk unit stores a computer program. The manufacturing apparatus 1300 achieves its functions by the microprocessor operating according to the computer program.
[0270]
The manufacturing apparatus 1300 is connected to the Internet 1010.
As described above, the manufacturing apparatus 1300 is owned by the personal computer manufacturer. In the process of manufacturing the main body 1900, the personal computer manufacturer connects the manufacturing apparatus 1300 and the main body 1900.
The manufacturing apparatus 1300 obtains the published serial number and drive public key via the Internet 1010, and writes the obtained serial number and drive public key into the information storage unit 1901 (described later) of the main unit 1900.
[0271]
7.3 Certificate Authority 1100
As shown in FIG. 54, the certificate authority apparatus 1100 includes a tree structure construction unit 1101, a tree structure storage unit 1102, a CRL generation unit 1103, an invalidation notification unit 1104, a tree structure update unit 1105, a CRL storage unit 1106, and a CRL transmission unit 1107. , A certificate generation unit 1108, a certificate storage unit 1109, a transmission / reception unit 1110, an input unit 1111, a display unit 1112, and a control unit 1113.
[0272]
This device is, specifically, a computer system including a microprocessor, a ROM, a RAM, and the like. When the microprocessor operates according to the computer program, the certificate authority apparatus 1100 achieves its function.
The certificate authority device 1100 has the same configuration as the key management device 100. Here, the description will focus on differences from the key management device 100.
[0273]
(1) Tree structure storage unit 1102
The tree structure storage unit 1102 has a tree structure table D1100 (not shown) similar to the tree structure table D100 of the tree structure storage unit 102.
The tree structure table D1100 corresponds to a tree structure T1100 (not shown).
[0274]
(Tree structure T1100)
The tree structure T1100 is a binary tree including five layers from layer 0 to layer 4, and is the same tree structure as the tree structure T100 shown in FIG. The tree structure T1100 is used to manage the public key certificate ID.
On the other hand, as described above, the tree structure T100 is used for managing device keys. Thus, the tree structure T1100 differs from the tree structure T100 in the purpose of its use. The configuration itself of the tree structure T1100 is the same as that of the tree structure T100, and a detailed description thereof will be omitted.
[0275]
(Tree structure table D1100)
The tree structure table D1100 has an area for storing the same number of node information as the nodes included in the tree structure T1100, and each node information corresponds to each node configuring the tree structure T1100.
Each node information corresponding to a node other than a leaf included in the tree structure table D1100 includes a node name and an invalidation flag. Each node information corresponding to a leaf includes a node name, a drive public key, and a revocation flag. Here, the drive public key is received from the manufacturing apparatus 1200 as described later.
[0276]
Note that each node information included in the tree structure table D100 includes the node name, the device key, and the invalidation flag as described above, while each node information included in the tree structure table D1100 includes the node name and the node name. It includes an invalidation flag, or includes a node name, a drive public key, and an invalidation flag.
In this respect, the tree structure table D1100 is different from the tree structure table D100, and the other points are the same. Therefore, a detailed description of the tree structure table D1100 will be omitted.
[0277]
(2) Tree structure construction unit 1101
The tree structure construction unit 1101 has the same configuration as the tree structure construction unit 101.
The tree structure constructing unit 1101 constructs a data structure of an n-ary tree for managing the public key certificate ID similarly to the tree structure constructing unit 101, and stores the constructed tree structure in the tree structure storage unit 1102. Specifically, similarly to the tree structure construction unit 101, the node name of each node is generated from the node information included in the tree structure table D1100, and the generated node name is written in each node information.
[0278]
Thus, at the time when the tree structure construction unit 1101 completes the construction of the tree structure, each node information included in the tree structure table D1100 includes only the node name.
Note that the tree structure construction unit 101 generates a device key for each node of the tree structure, and writes the generated device key in the tree structure table in association with each node. The generation and the writing to the tree structure table of the device key are not performed. In this respect, they are different.
[0279]
(3) Certificate storage unit 1109
The certificate storage unit 1109 has an area for storing one or more public key certificates described below.
(4) Certificate generation unit 1108
The certificate generation unit 1108 receives a public key certificate issuance request indicating a request for issuing a public key certificate, a drive public key, and an expiration date from the manufacturing apparatus 1200 via the Internet 1010 and the transmission / reception unit 1110.
[0280]
Upon receiving the public key certificate issuance request, the drive public key, and the expiration date, the certificate generation unit 1108 checks the drive information in the node information corresponding to the leaf in the tree structure table D1100 stored in the tree structure storage unit 1102. One that does not include the public key is selected, and the received drive public key is written in the selected node information.
[0281]
Further, the certificate generation unit 1108 extracts a node name from the selected node information. Here, the extracted node name is set as a certificate ID for identifying a public key certificate corresponding to the received drive public key.
Thus, the certificate generation unit 1108 generates the certificate ID of the public key certificate corresponding to the received drive public key. Next, the certificate generation unit 1108 generates a public key certificate including the generated certificate ID, the received expiration date, and the received drive public key.
[0282]
Next, the certificate generation unit 1108 applies the digital signature SIG to the generated public key certificate using the certificate authority private key held only by the certificate authority device 1100 in secret, and generates the certificate signature data. Generate.
Here, the digital signature SIG is a digital signature that uses ElGamal encryption based on the security of a discrete logarithm problem on an elliptic curve.
[0283]
Next, the certificate generation unit 1108 transmits the generated public key certificate and certificate signature data to the manufacturing apparatus 1200 via the transmission / reception unit 1110 and the Internet 1010. Further, the certificate generation unit 1108 writes the generated public key certificate into the certificate storage unit 1109.
(5) Invalid notification unit 1104
Assume that a set of a drive private key and a drive public key has been disclosed by an unauthorized third party. In this case, the corresponding public key certificate must be revoked.
[0284]
When the administrator of the certificate authority apparatus 1100 knows the certificate ID of the public key certificate to be revoked, the invalidation notifying unit 1104 sends the public key to be revoked via the input unit 1111 by the operation of the administrator. The certificate ID of the certificate is obtained, and the obtained certificate ID is output to the tree structure updating unit 1105.
(6) Tree structure update unit 1105
The tree structure updating unit 1105 receives the certificate ID from the invalidation notifying unit 1104.
[0285]
Upon receiving the certificate ID, the tree structure updating unit 105 updates the tree structure table D1100.
In the description of the tree structure updating unit 105, “ID information” is replaced with “certificate ID”.
Thus, similarly to the tree structure updating unit 105, the tree structure updating unit 1105 determines, based on the certificate ID received from the invalidation notifying unit 1104, the tree structure D1100 from the leaf indicated by the received certificate ID to the root. Invalidate all nodes existing on the route.
[0286]
When it is assumed that the certificate IDs indicated by “0000”, “1010”, and “1011” are invalidated in the tree structure D1100, the tree whose nodes have been invalidated by the tree structure updating unit 1105 as described above. The structure is as shown in FIG. In this figure, the nodes marked with “x” indicate the invalidated nodes.
(7) CRL storage unit 1106
The CRL storage unit 1106 has an area for storing one or more CRLs.
[0287]
(8) CRL generation unit 1103
The CRL generation unit 1103 operates in the same manner as the key information header generation unit 106. As a result, CRL generating section 1103 generates a plurality of NRPs.
FIG. 55 shows an example of a plurality of NRPs (referred to as an NRP group) generated by the CRL generation unit 1103. As shown in this figure, the NRP group is composed of NRP {11}, {10}, {10}, {10}, {01}, {10}, {11}, and includes each NRP in this order. In.
[0288]
Here, the generated NRP group has the same contents as the header information D200 (shown in FIG. 6) generated by the key information header generation unit 106.
The operation of the CRL generation unit 1103 described above is the same as that of the key information header generation unit 106.
Next, as a different operation from the key information header generation unit 106, the CRL generation unit 1103 uses the certification authority private key held only by the certification authority device 1100 to add the digital signature SIG to the generated NRP group. Then, NRP signature data is generated, and a CRL including the NRP group and the generated NRP signature data is generated.
[0289]
FIG. 55 shows an example of the CRL. The CRL 1131 shown in the figure includes an NRP group 1132 and NRP signature data 1133.
Next, the CRL generation unit 1103 writes the generated CRL into the CRL storage unit 1106. The generated CRL is transmitted to the copyrighted work recording device 1400 via the CRL transmission unit 1107 and the Internet 1010.
[0290]
(9) CRL transmission section 1107
The CRL transmission unit 1107 is connected to the Internet 1010, receives information from the CRL generation unit 1103, and transmits the received information to an external device via the Internet 1010.
(10) Transmission / reception unit 1110
The transmission / reception unit 1110 is connected to the Internet 1010, and transmits / receives information between the certificate generation unit 1108 and an external device connected to the Internet 1010.
[0291]
(11) Control unit 1113, display unit 1112, and input unit 1111
The control unit 1113 controls each component of the certificate authority device 1100.
The display unit 1112 displays various information under the control of the control unit 1113.
The input unit 1111 receives an input from an operator of the certificate authority device 1100.
7.4 Work recording device 1400
As shown in FIG. 56, the work recording device 1400 includes a work storage unit 1401, an encryption unit 1402, a writing unit 1403, and a transmission / reception unit 1404.
[0292]
The copyrighted work recording device 1400 is a computer system including a microprocessor, a ROM, a RAM, and the like. When the microprocessor operates according to the computer program, the copyrighted work recording device 1400 achieves its function.
(1) Work storage unit 1401
The work storage unit 1401 stores a digital work in advance.
[0293]
(2) Transmission / reception unit 1404
The transmission / reception unit 1404 is connected to the Internet 1010.
The transmission / reception unit 1404 receives a CRL from the certificate authority device 1100 via the Internet 1010, and outputs the received CRL to the encryption unit 1402.
(3) Encryption unit 1402
The encryption unit 1402 receives the CRL from the transmission / reception unit 1404.
[0294]
In addition, the encryption unit 1402 reads the digital work from the work storage unit 1401 according to the instruction of the operator, applies the encryption algorithm E3 to the read digital work and the received CRL, and respectively outputs the encrypted work. And generate an encrypted CRL.
Here, the encryption algorithm E3 is based on DES.
[0295]
Next, the encryption unit 1402 outputs the generated encrypted work and the encrypted CRL to the writing unit 1403.
(4) Writing unit 1403
The writing unit 1403 receives the encrypted work and the encrypted CRL from the encryption unit 1402, and writes the received encrypted work and the encrypted CRL to the DVD 1800.
[0296]
(5) Transmission / reception unit 1404
The transmission / reception unit 1404 is connected to the Internet 1010.
The transmission / reception unit 1404 receives information from an external device via the Internet 1010 and outputs the received information to the encryption unit 1402.
7.5 Main Body 1900
As shown in FIG. 57, the main unit 1900 includes an information storage unit 1901, a decoding unit 1902, an authentication unit 1903, a display unit 1904, an input / output unit 1905, a control unit 1906, a reproduction unit 1907, a decoding unit 1908, and an input unit 1909. It is configured.
[0297]
The main body 1900 is specifically a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like. A computer program is stored in the RAM or the hard disk unit. The main unit 1900 achieves its functions by the microprocessor operating according to the computer program.
[0298]
(1) Information storage unit 1901
As shown as an example in FIG. 57, the information storage unit 1901 includes an area for storing a serial number and a drive public key.
As described above, in the process of manufacturing the main body 1900 by the personal computer manufacturer, the manufacturing apparatus 1300 and the main body 1900 are connected, and the manufacturing number and the drive public key are written into the information storage unit 1901 by the manufacturing apparatus 1300.
[0299]
The serial number is identification information for identifying the drive unit 1600, and the drive public key is a public key generated corresponding to the drive unit 1600.
(2) Control unit 1906
The control unit 1906 outputs a CRL reading instruction indicating CRL reading to the drive unit 1600 via the input / output unit 1905.
[0300]
The control unit 1906 receives, from the authentication unit 1903, success information indicating successful verification of the validity of the NRP group or failure information indicating verification failure. When receiving the success information, it further receives an NRP group from the authentication unit 1903.
Upon receiving the failure information, the control unit 1906 outputs a message indicating that the verification has failed to the display unit 1904, and controls the display unit 1904 to display the message. After that, the control unit 1906 stops access to the DVD by the drive unit 1600.
[0301]
Upon receiving the success information, the control unit 1906 further requests a public key certificate from the drive unit 1600 via the input / output unit 1905.
(Invalidation judgment)
Next, the control unit 1906 receives the public key certificate from the drive unit 1600, extracts a certificate ID from the received public key information, and uses the extracted certificate ID and the NRP group received from the authentication unit 1903. The public key certificate is invalidated as described below.
[0302]
The control unit 1906 makes a public key certificate invalidation determination in the same manner as the specifying unit 303 shown in the first embodiment. The specifying unit 303 operates to specify the encrypted media key. On the other hand, the control unit 1906 operates to determine whether or not the public key certificate is invalidated. In this point, the specifying unit 303 and the control unit 1906 are different.
[0303]
Here, the operation of the control unit 1906 for determining the revocation of the public key certificate will be described focusing on the difference from the operation of the specifying unit 303.
The control unit 1906 operates as shown in the flowchart of FIG. 17 to determine whether the public key certificate is invalidated.
The control unit 1906 has a variable A indicating the position of the NRP related to the certificate ID, a variable W indicating the number of NRPs in a certain layer, and a value D indicating the number of layers in the tree structure. Here, the NRP related to the certificate ID indicates the NRP of a node existing on a path from a leaf assigned to the certificate ID to a root in a tree structure. Note that the control unit 1906 does not have the variable X indicating the position of the encrypted media key of the specifying unit 303.
[0304]
If the determination is “No” in step S302 of the flowchart in FIG. 17, the control unit 1906 regards the public key certificate as invalid.
When it is determined that “B = 0” in step S303 of the flowchart in FIG. 17, the control unit 1906 regards the public key certificate as valid. Note that the control unit 1906 does nothing in step S307.
[0305]
In this way, the control unit 1906 determines whether or not the public key certificate is invalid, and when it is determined that the public key certificate is invalid, the control unit 1906 displays the public key certificate on the display unit 1904. A message indicating that the message is invalid is output, and control is performed to display the message. After that, the control unit 1906 stops access to the DVD by the drive unit 1600.
[0306]
On the other hand, when determining that the public key certificate is valid, the control unit 1906 generates a random number R, outputs the generated random number R to the drive unit 1600 via the input / output unit 1905, and The authentication signature data is received from 1600.
The control unit 1906 reads the drive public key from the information storage unit 1901, performs a verification algorithm VER on the generated random number R and the received authentication signature data using the read drive public key, and verifies the validity of the drive unit 1600. Verify
[0307]
Here, the verification algorithm VER corresponds to the digital signature SIG described above, and performs verification using signature data generated by the digital signature SIG.
If the verification fails, the control unit 1906 outputs to the display unit 1904 a message indicating that the drive unit 1600 is invalid, and controls to display the message. After that, the control unit 1906 stops access to the DVD by the drive unit 1600.
[0308]
If the verification is successful, the control unit 1906 outputs an instruction to read the copyrighted work to the drive unit 1600 via the input / output unit 1905.
Next, the control unit 1906 receives the encrypted work from the drive unit 1600 via the input / output unit 1905, and outputs the received encrypted work to the decryption unit 1908.
[0309]
(3) Decoding unit 1902
The decryption unit 1902 receives the encrypted CRL from the drive unit 1600 via the input / output unit 1905, performs a decryption algorithm D3 on the received encrypted CRL, generates an NRP group and NRP signature data, and generates the generated NRP group. And the NRP signature data to the authentication unit 1903.
[0310]
(4) Authentication unit 1903
The authentication unit 1903 stores a certificate authority public key distributed from the certificate authority device 1100 in advance. The certificate authority public key corresponds to the above-described certificate authority secret key, and is generated based on the certificate authority secret key using a public key generation algorithm of a public key cryptosystem.
[0311]
The authentication unit 1903 receives the NRP group and the NRP signature data from the decryption unit 1902, performs a digital signature verification algorithm VER on the NPR group and the NRP signature data using the certificate authority public key, and verifies the validity of the NRP group. I do.
Here, the verification algorithm VER corresponds to the digital signature SIG described above, and performs verification using signature data generated by the digital signature SIG.
[0312]
When the verification result indicates the validity of the NRP group, that is, when the verification is successful, the authentication unit 1903 outputs success information indicating the verification success to the control unit 1906. In this case, the authentication unit 1903 further outputs the NRP group to the control unit 1906. On the other hand, when the verification result indicates that the NRP group is invalid, that is, when the verification fails, the authentication unit 1903 outputs failure information indicating the verification failure to the control unit 1906.
[0313]
(5) Decoding section 1908
The decryption unit 1902 receives the encrypted work from the control unit 1906, performs a decryption algorithm D3 on the received encrypted work, generates a digital work, and outputs the generated digital work to the reproduction unit 1907.
(6) Reproduction unit 1907
The reproducing unit 1907 receives the digital work from the decrypting unit 1902, and reproduces and outputs the received digital work.
[0314]
(7) Display unit 1904
The display unit 1904 receives a message from the control unit 1906 under the control of the control unit 1906, and displays the received message.
(8) Input unit 1909
The input unit 1909 receives an input from an operator.
[0315]
7.6 Drive unit 1600
As shown in FIG. 58, the drive unit 1600 includes an information storage unit 1601, a read unit 1602, a control unit 1603, an authentication unit 1604, and an input / output unit 1605.
(1) Information storage unit 1601
As shown in FIG. 58, the information storage unit 1601 includes an area for storing a serial number, a drive secret key, a public key certificate, and certificate signature data.
[0316]
As described above, in the process of manufacturing the drive unit 1600 by the drive manufacturer, the manufacturing apparatus 1200 and the drive unit 1600 are connected, and the serial number, the drive secret key, the public key certificate, and the certificate signature data are stored in the manufacturing apparatus. The data is written in the information storage unit 1601 by 1200.
The serial number, the drive private key, the public key certificate, and the certificate signature data are as described above, and thus the description will be omitted here.
[0317]
(2) Control unit 1603
The control unit 1603 receives a CRL read instruction, a public key certificate request, a random number R, and a work read request from the main unit 1900 via the input / output unit 1605.
Upon receiving the CRL read instruction, the control unit 1603 reads the encrypted CRL from the DVD 1800 via the read unit 1602, and outputs the read encrypted CRL to the main unit 1900 via the input / output unit 1605.
[0318]
Upon receiving the request for the public key certificate, control unit 1603 reads the public key certificate from information storage unit 1601, and outputs the read public key certificate to main unit 1900 via input / output unit 1605.
Upon receiving the random number R, the control unit 1603 outputs the received random number R to the authentication unit 1604, and controls the authentication unit 1604 to generate authentication signature data.
[0319]
Upon receiving the request to read the work, the control unit 1603 reads the encrypted work from the DVD 1800 via the read unit 1602 and outputs the read encrypted work to the main unit 1900 via the input / output unit 1605. I do.
Next, the control unit 1603 receives the authentication signature data from the authentication unit 1604, and outputs the received authentication signature data to the main unit 1900 via the input / output unit 1605.
[0320]
(3) Authentication unit 1604
The authentication unit 1604 receives the random number R from the control unit 1603, reads the drive secret key from the information storage unit 1601 under the control of the control unit 1603, and uses the read drive secret key to On the other hand, the digital signature is applied to generate the authentication signature data, and the generated authentication signature data is output to the control unit 1603.
[0321]
(4) Reading unit 1602
The reading unit 1602 reads information from the DVD 1800 under the control of the control unit 1603, and outputs the read information to the control unit 1603.
(5) Input / output unit 1605
The input / output unit 1605 transmits and receives information between the control unit 1603 and the main unit 1900 under the control of the control unit 1603.
[0322]
7.7 Operation of Authentication System 1000
(1) Operation of manufacturing apparatus 1200 and manufacturing apparatus 1300
The operations of the manufacturing apparatuses 1200 and 1300 will be described with reference to the flowchart shown in FIG.
The input unit 1202 receives the input of the serial number of the drive unit 1600 from the operator of the manufacturing apparatus 1200, outputs the received serial number to the control unit 1204, and the control unit 1204 receives the serial number from the input unit 1202. (Step S501). Next, the input unit 1202 receives an input of an expiration date from the operator of the manufacturing apparatus 1200, outputs the received expiration date to the control unit 1204, and the control unit 1204 receives the expiration date from the input unit 1202. (Step S502).
[0323]
Next, the control unit 1204 generates a random number, generates a drive secret key based on the generated random number (step S503), and then uses the generated drive secret key using RSA public key encryption technology. Then, a drive public key is generated (step S504).
Next, the control unit 1204 transmits the generated drive public key, the received expiration date, and a public key certificate issuance request indicating a request to issue a public key certificate via the communication unit 1206 and the Internet 1010 to the certificate authority device. Output to 1100 (step S505).
[0324]
Next, the control unit 1204 receives the public key certificate and the certificate signature data from the certificate authority apparatus 1100 via the Internet 1010 and the communication unit 1206 (step S506), and obtains the serial number, the drive secret key, and the drive public key. , And generates the manufacturing information including the expiration date, the public key certificate, and the certificate signature data, and writes the generated manufacturing information into the manufacturing information table 1211 of the information storage unit 1200 (step S507).
[0325]
The control unit 1204 outputs the serial number, the drive secret key, the public key certificate, and the certificate signature data to the writing unit 1205. The writing unit 1205 sends the serial number, the drive secret key, and the public key from the control unit 1204. The key certificate and the certificate signature data are received, and the received serial number, drive private key, public key certificate, and certificate signature data are written in the information storage unit 1601 of the drive unit 1600 (step S508).
[0326]
Further, the control unit 1204 discloses the serial number and the drive public key via the communication unit 1206 and the Internet 1010 (step S509).
The manufacturing apparatus 1300 obtains the published serial number and drive public key via the Internet 1010 (step S509), and writes the obtained serial number and drive public key to the information storage unit 1901 of the main unit 1900 (step S509). S510).
[0327]
(2) Operation of Issuing Public Key Certificate by Certificate Authority 1100
The operation of issuing a public key certificate by the certificate authority 1100 will be described with reference to the flowchart shown in FIG.
The tree structure construction unit 1101 constructs a data structure of an n-ary tree for managing the public key certificate ID similarly to the tree structure construction unit 101, and stores the constructed tree structure in the tree structure storage unit 1102 (step S521). ).
[0328]
The certificate generation unit 1108 receives a public key certificate issuance request indicating a request for issuing a public key certificate, a drive public key, and an expiration date from the manufacturing apparatus 1200 via the Internet 1010 and the transmission / reception unit 1110 (step S505). ).
Next, the certificate generation unit 1108 selects one of the node information corresponding to the leaves in the tree structure table D1100 stored in the tree structure storage unit 1102 that does not include the drive public key, and selects the selected node information. The received drive public key is written in the node information, and a node name is extracted from the selected node information. Here, the extracted node name is a certificate ID for identifying the public key certificate (step S522). Next, the certificate generation unit 1108 generates a public key certificate including the generated certificate ID, the received expiration date, and the received drive public key (step S523). A digital signature SIG is applied to the generated public key certificate using a secret key of a certificate authority held in secret to generate certificate signature data (step S524).
[0329]
Next, the certificate generation unit 1108 transmits the generated public key certificate and certificate signature data to the manufacturing apparatus 1200 via the transmission / reception unit 1110 and the Internet 1010 (step S506). Further, the certificate generation unit 1108 writes the generated public key certificate into the certificate storage unit 1109 (Step S525). Next, the process returns to step S505 to repeat the processing.
[0330]
(3) CRL Issuing Operation by Certificate Authority 1100
The operation of issuing a CRL by the certificate authority apparatus 1100 will be described with reference to the flowchart shown in FIG.
When the administrator of the certificate authority apparatus 1100 knows the certificate ID of the public key certificate to be revoked, the invalidation notifying unit 1104 sends the public key to be revoked via the input unit 1111 by the operation of the administrator. The certificate ID of the certificate is obtained, and the obtained certificate ID is output to the tree structure updating unit 1105 (step S541).
[0331]
Next, the tree structure updating unit 1105 receives the certificate ID from the invalidation notifying unit 1104, and updates the tree structure table D1100 in the same manner as the tree structure updating unit 105 (Step S542). Next, the CRL generation unit 1103 generates an NRP group, similarly to the key information header generation unit 106 (step S543).
Next, the CRL generation unit 1103 applies a digital signature SIG to the generated NRP group using the certificate authority private key held only by the certificate authority device 1100 in secret, and generates NRP signature data (step In step S544, a CRL including the NRP group and the generated NRP signature data is generated (step S545), and the generated CRL is written in the CRL storage unit 1106 (step S546). Next, the CRL generation unit 1103 transmits the generated CRL to the copyrighted work recording device 1400 via the CRL transmission unit 1107 and the Internet 1010 (step S547).
[0332]
The transmission / reception unit 1404 of the copyrighted work recording device 1400 receives the CRL from the certificate authority device 1100 via the Internet 1010 and outputs the received CRL to the encryption unit 1402. The CRL is received (Step S547).
Next, the encryption unit 1402 reads the digital work from the work storage unit 1401 in accordance with the instruction of the operator, performs an encryption algorithm E3 on the read digital work, and generates an encrypted work (step S1). (S548) Then, the received CRL is subjected to the encryption algorithm E3 to generate an encrypted CRL (step S549).
[0333]
Next, the encryption unit 1402 outputs the generated encrypted work and the encrypted CRL to the writing unit 1403 (step S550).
(4) Operations of the main unit 1900 and the drive unit 1600
The operations of the main unit 1900 and the drive unit 1600 will be described with reference to the flowcharts shown in FIGS.
[0334]
The control unit 1906 of the main unit 1900 outputs a CRL read instruction indicating CRL reading to the drive unit 1600 via the input / output unit 1905, and the control unit 1603 of the drive unit 1600 sends the input / output unit A CRL read instruction is received via 1605 (step S561).
Next, the control unit 1603 reads the encrypted CRL from the DVD 1800 via the reading unit 1602 (step S562), and outputs the read encrypted CRL to the main unit 1900 via the input / output unit 1605 (step S562). S563).
[0335]
Next, the decryption unit 1902 receives the encrypted CRL from the drive unit 1600 via the input / output unit 1905 (step S563), performs a decryption algorithm D3 on the received encrypted CRL, and converts the NRP group and the NRP signature data. The generated NRP group and NRP signature data are output to the authentication unit 1903 (step S564).
[0336]
The authentication unit 1903 receives the NRP group and the NRP signature data from the decryption unit 1902, performs a digital signature verification algorithm VER on the NPR group and the NRP signature data using the public key of the certification authority, and verifies the validity of the NRP group. Then, success information or failure information is output to the control unit 1906, and when the success information is output, the NRP group is further output to the control unit 1906 (step S565).
[0337]
Next, when the failure information is received (step S566), the control unit 1906 outputs a message indicating that the verification has failed to the display unit 1904, and controls to display the message (step S566). S567). After that, the control unit 1906 stops access to the DVD by the drive unit 1600.
When receiving the success information (step S566), the control unit 1906 further requests a public key certificate from the drive unit 1600 via the input / output unit 1905 (step S568).
[0338]
The control unit 1603 receives the request for the public key certificate from the main unit 1900 via the input / output unit 1605 (step S568), reads the public key certificate from the information storage unit 1601 (step S569), and reads the read public key certificate. The key certificate is output to the main unit 1900 via the input / output unit 1605 (step S570).
Next, the control unit 1906 receives the public key certificate from the drive unit 1600 (step S570), extracts a certificate ID from the received public key information (step S571), and outputs the extracted certificate ID and the authentication unit 1903. The public key certificate is determined to be invalid using the NRP group received from (step S572).
[0339]
If the control unit 1906 determines that the public key certificate is invalid (step S573), the control unit 1906 outputs a message indicating that the public key certificate is invalid to the display unit 1904. The display is controlled (step S574). After that, the control unit 1906 stops access to the DVD by the drive unit 1600.
[0340]
On the other hand, if it is determined that the public key certificate is valid (step S573), the control unit 1906 generates a random number R (step S575), and transmits the generated random number R to the drive via the input / output unit 1905. Output to the unit 1600 (step S576).
The control unit 1603 receives the random number R from the main unit 1900 via the input / output unit 1605 (step S576), outputs the received random number R to the authentication unit 1604, and sends the authentication signature data to the authentication unit 1604. The authentication unit 1604 applies a decisional signature SIG to the received random number R to generate authentication signature data (step S577), and sends the generated authentication signature data to the control unit 1603. Output (Step S578).
[0341]
The control unit 1906 receives the authentication signature data from the drive unit 1600 (Step S578). Next, the control unit 1906 reads the drive public key from the information storage unit 1901, performs a verification algorithm VER on the generated random number R and the received authentication signature data using the read drive public key, and Is verified (step S579).
[0342]
If the verification fails (step S580), the control unit 1906 outputs a message indicating that the drive unit 1600 is invalid to the display unit 1904, and controls to display the message (step S586). After that, the control unit 1906 stops access to the DVD by the drive unit 1600.
If the verification is successful (step S580), the control unit 1906 outputs an instruction to read the copyrighted work to the drive unit 1600 via the input / output unit 1905 (step S581).
[0343]
The control unit 1603 receives a work read request from the main unit 1900 via the input / output unit 1605 (step S581), reads the encrypted work from the DVD 1800 via the read unit 1602 (step S582), The read encrypted work is output to the main unit 1900 via the input / output unit 1605 (step S583).
[0344]
Next, the control unit 1906 receives the encrypted work from the drive unit 1600 via the input / output unit 1905 (step S583), outputs the received encrypted work to the decryption unit 1908, and the decryption unit 1902 The encrypted work is received from the control unit 1906, a decryption algorithm D3 is applied to the received encrypted work to generate a digital work, and the generated digital work is output to the reproducing unit 1907 (step S584).
[0345]
The reproducing unit 1907 receives the digital work from the decrypting unit 1902, and reproduces and outputs the received digital work (Step S585).
7.8 Other Modifications
As described above, the technology described in the first embodiment is applied to the sixth embodiment. That is, in the generation of the CRL and the revocation determination of the public key certificate in the authentication system 1000 shown in the sixth embodiment, the method of generating the header information shown in the first embodiment and the identification of the encrypted media key are performed. The method has been applied.
[0346]
In the sixth embodiment, the second to fifth embodiments and their modifications may be applied. That is, the method of generating the header information and the method of specifying the encrypted media key shown in the second to fifth embodiments and the modified examples thereof are described in the CRL in the authentication system 1000 shown in the sixth embodiment. May be applied to the generation of the public key certificate and the revocation determination of the public key certificate.
[0347]
In the sixth embodiment to which the second embodiment is applied, when all descendants of a certain node are invalidation nodes, the NRP is expressed as “00”, but the present invention is not limited to this. Not. For example, "0" and "1" may be interchanged and "11" may be used as the NRP meaning the above. Further, one bit may be added and the bit may be used as a bit meaning the above.
[0348]
In the sixth embodiment to which the third embodiment is applied, similarly to the second embodiment, when all descendants of a certain node are invalidation nodes, the NRP is expressed as “00”. , One bit may be added and the bit may be used as a bit meaning the above.
If there is no revoked public key certificate, a CRL including information indicating that fact may be generated.
[0349]
7.9 Summary
As described above, the present invention relates to an authentication system using public key cryptography, which has a secret key and a public key in a public key cryptographic algorithm, and uses the secret key to give a communication partner its own validity. Terminal, a public key certificate issuing device for issuing and distributing a public key certificate to at least data comprising a public key of the terminal device, and a public key certificate for the terminal device to be invalidated. A revocation list generating device for issuing and distributing a public key certificate revocation list for specifying the public key certificate issued by the key certificate issuing device, a public key certificate of the terminal device to be verified, and the public key certificate Revocation list receiving device, and a revocation list using device that determines whether the public key certificate is registered in the public key certificate revocation list. Composed of a verification device for verifying a self correctness proof performed by the communication partner by using a cross-sectional public key.
[0350]
The revocation list generation device constructs and stores a tree structure including a plurality of layers, assigns a unique value for identifying a public key certificate of each terminal device to a leaf of the tree structure, and further stores and stores If a unique value of a public key certificate to be revoked is associated with at least one of the leaves that are descendants of a node for a given tree structure, that node is regarded as a revoked node, and at least one of the child nodes For a node, one of which is an invalidation node, an identifier for identifying whether each child node is an invalidation node is indicated by an identifier for identifying whether or not each child node is an invalidation node. The public key certificate revocation list is further arranged by arranging node revocation patterns of the entire tree structure based on a predetermined rule for tracing all nodes of the tree structure. Generated.
[0351]
The revocation list using apparatus analyzes a public key certificate revocation list in which the node revocation patterns are arranged based on the predetermined rule, and determines that the public key certificate of the terminal to be verified is invalidated. It is determined whether or not it is registered in the list.
The present invention also provides a public key certificate issuing device for issuing and distributing a public key certificate to data comprising a public key of a terminal device, and a public key certificate issuing device for the terminal device to be revoked. A revocation list generation device that issues and distributes a public key certificate revocation list that specifies the public key certificate issued by the device.
[0352]
The revocation list generation device constructs and stores a tree structure including a plurality of layers, assigns a unique value for identifying a public key certificate of each terminal device to a leaf of the tree structure, and further stores and stores If a unique value of a public key certificate to be revoked is associated with at least one of the leaves that are descendants of a node for a given tree structure, that node is regarded as a revoked node, and at least one of the child nodes For a node, one of which is an invalidation node, an identifier for identifying whether each child node is an invalidation node is indicated by an identifier for identifying whether or not each child node is an invalidation node. The public key certificate revocation list is further arranged by arranging node revocation patterns of the entire tree structure based on a predetermined rule for tracing all nodes of the tree structure. Generated.
[0353]
Further, the present invention receives a public key certificate of the partner terminal device to be verified and the public key certificate revocation list, and determines whether or not the public key certificate is registered in the public key certificate revocation list. The revocation list using device to be determined.
The revocation list using apparatus analyzes a public key certificate revocation list in which the node revocation patterns are arranged based on the predetermined rule, and determines that the public key certificate of the terminal to be verified is invalidated. It is determined whether or not it is registered in the list.
[0354]
Here, the authentication system may be configured to distribute the revocation list using a communication medium as a revocation list distribution unit.
Here, the revocation list using apparatus may be configured to distribute the revocation list using a communication medium as a revocation list distribution unit.
Here, the authentication system may be configured to distribute the revocation list using a recording medium as a revocation list distribution unit.
[0355]
Here, the revocation list using device may be configured to distribute the revocation list using a recording medium as a revocation list distribution unit.
Here, the authentication system identifies a node in which all the leaves that are descendants of the invalidated node are invalidated among the node invalidation patterns given to the invalidated node. It may be configured to give a node invalidation pattern.
[0356]
Here, the revocation list generation device, for a node in which all leaves that are descendants of the revocation node are revoked in the node revocation pattern given to the revocation node, It may be configured to provide the identified node invalidation pattern.
Here, the authentication system adds, to the node invalidation pattern given to the invalidation node, information representing whether or not all the leaves that are descendants of the invalidation node are invalidated, and adds the node invalidation pattern. May be configured.
[0357]
Here, the revocation list generation device adds, to a node revocation pattern given to the revocation node, information indicating whether or not all the leaves that are descendants of the revocation node are revoked. An invalidation pattern may be configured.
Here, the authentication system is based on a rule for arranging the node invalidation patterns, starting from the root of the tree structure, giving priority to a node in an upper layer, and giving priority to a node on the left side in the same layer. You may comprise so that the node invalidation pattern of the invalidation node which appears may be arranged.
[0358]
Here, the revocation list generation device has a rule that, starting from the root of the tree structure, gives priority to nodes in upper layers and gives priority to left nodes in the same layer, as rules for arranging node revocation patterns. May be arranged so that the node invalidation patterns of the invalidation nodes appearing on the basis of.
Here, it is assumed that, in the authentication system, all nodes configuring the tree structure are invalidated. The nodes constituting this tree structure are called a processed node set. At this time, a node that has not been invalidated is newly added to the tree structure as follows. Here, adding a node is referred to as expanding a tree structure. A tree structure including a processed node set is considered as an initial state. In the initial state, a child node is further added to a node belonging to a lower layer of the tree structure. At this time, when a plurality of nodes belong to the lower layer, a child node is preferentially added to the left node among the plurality of nodes. After expanding the tree structure based on such an extension rule, a public key certificate is assigned to the lowest node, that is, a leaf.
[0359]
Here, when the public key certificate is revoked, as described above, the revocation list generation device invalidates all nodes on the route from the node to the root. At this time, the node invalidation patterns of the invalidation nodes are arranged based on the extension rule.
At this time, the revocation list using device analyzes the public key certificate revocation list in which the node revocation patterns are arranged based on the extension rule, and determines that the public key certificate of the terminal to be verified is It is determined whether or not it is registered in the revocation list.
[0360]
8. Other modifications
(1) The present invention may be the method described above. Further, these methods may be a computer program that is realized by a computer, or may be a digital signal formed by the computer program.
Further, the present invention records the computer program or the digital signal on a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, and a semiconductor memory. It may be done. Further, the present invention may be the computer program or the digital signal recorded on these recording media.
[0361]
Further, according to the present invention, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, or the like.
The present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.
[0362]
Further, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, so that it is executed by another independent computer system. It may be.
(2) The above embodiments and the above modifications may be combined.
[0363]
9. Conclusion
As is apparent from the above description, according to the invention disclosed in the first embodiment, key information can be made compact by arranging NRPs in order of level as header information of key information recorded in advance on a recording medium. It is also possible to specify an encrypted media key that the player should efficiently decrypt.
[0364]
According to the invention disclosed in the second embodiment, a bit indicating whether or not all descendants of a certain node are invalidating devices is added to the head of the NRP as header information. When concentrated, header information can be reduced.
Further, according to the invention disclosed in the third embodiment, it is possible to further reduce header information by determining whether or not all descendants of a certain node are invalidation devices in a certain specific pattern. .
[0365]
Further, according to the inventions disclosed in the fourth and fifth embodiments, the order of NRPs can be other than the order disclosed in the first to third embodiments.
Further, according to the invention disclosed in the sixth embodiment, the size of the CRL can be kept small even if the number of public key certificates to be revoked increases.
[0366]
10. Industrial potential
The authentication system for determining a revoked public key certificate described above uses a public key cryptosystem to transmit a secret message, authenticate a partner, prevent non-repudiation, share a key, throw coins, share secrets, etc. Is applied when determining whether the public key certificate is valid. For example, as shown in Embodiment 6, the present invention is applied to the case where the validity of a drive unit is authenticated. Also, in electronic commerce in which goods are bought and sold via the Internet, the present invention is applied when authenticating whether or not a trading partner is legitimate.
[0367]
【The invention's effect】
As described above, the present invention uses a revocation list generation device that generates a revocation list indicating a revoked public key certificate, and uses the revocation list to determine whether the acquired public key certificate is invalid. And an invalidation determination device that suppresses the use of a public key corresponding to the case where the invalidation is determined. The revocation list generation device includes a plurality of leaves each having a tree structure. A leaf identifier corresponding to a plurality of public key certificates and indicating each leaf identifies each public key certificate, and at least one public key certificate among the public key certificates is invalidated. All nodes from the leaf indicated by the leaf identifier that identifies the converted public key certificate to the root are invalidated, and a tree structure storage unit having a plurality of nodes constituting the tree structure; To For each invalidated node, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained plurality of invalidation information is obtained. Comprises an invalidation list generating means for generating an invalidation list by arranging the tree according to the arrangement order related to the configuration of the tree structure, and an output means for outputting the generated invalidation list. A certificate obtaining unit for obtaining a public key certificate identified by a leaf identifier indicating one leaf of a structure; a list obtaining unit for obtaining the revocation list; and a list arranged in the obtained revocation list. Attempt to construct a route from the root to the leaf using the revocation information, and if the constructed route includes the leaf, it is determined that the obtained public key certificate is invalid. And, if the does not contain leaf, and a judging means for the public key certificate obtained is determined to be valid. The revocation list generating apparatus generates a revocation list indicating a revoked public key certificate, wherein a plurality of leaves having a tree structure correspond to the plurality of public key certificates, and indicate each leaf. The leaf identifier identifies each public key certificate, at least one of the public key certificates has been revoked, and is indicated by a leaf identifier identifying the revoked public key certificate. All the nodes from the leaf to the root are invalidated, and a tree structure storage means having a plurality of nodes constituting the tree structure, and for each invalidated node except the leaf, a lower node Invalidation information indicating whether or not each is invalidated is generated. As a result, a plurality of pieces of invalidation information are obtained, and the obtained plurality of pieces of invalidation information are arranged according to the arrangement order according to the tree structure. Provided by a revocation list generation means for generating a revocation list by, and output means for outputting the generated revocation list that. Also, using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether or not the obtained public key certificate is invalid. The revocation list generation device has a plurality of nodes constituting a tree structure, and a plurality of leaves of the tree structure each have a plurality of public key certificates. And a leaf identifier indicating each leaf identifies each public key certificate, and at least one of the public key certificates has been revoked, and the revoked public key certificate has been revoked. All nodes from the leaf to the root indicated by the leaf identifier that identifies the book are invalidated, and for each invalidated node except the leaf, whether each of the lower nodes is invalidated To A plurality of pieces of revocation information are obtained, and the obtained pieces of revocation information are arranged in accordance with the arrangement order of the tree structure to generate a revocation list. The invalidation list is output, and the invalidation determination device acquires a public key certificate identified by a leaf identifier indicating one leaf of the tree structure, and acquires the revocation list. Using a list acquisition unit and the invalidation information arranged in the acquired invalidation list, an attempt is made to construct a route from a root to the leaf, and when the leaf is included in the constructed route, A determination unit that determines that the obtained public key certificate is invalid, and determines that the obtained public key certificate is valid when the leaf is not included.
[0368]
According to these configurations, the revocation list generation device generates revocation information indicating whether or not each of the lower nodes has been revoked for each revoked node except the leaf. The size can be kept small. Further, the invalidation determination device attempts to construct a path from a root to the leaf using the invalidation information, and when the constructed path includes the leaf, the acquired public key certificate is Since it is determined that the certificate is invalid, the revoked public key certificate can be reliably determined.
[0369]
Here, the tree structure is composed of a plurality of layers, and the revocation list generating means converts the obtained revocation information from the root to the leaf-side layer in order from the root to the leaf-side layer. Are arranged according to the above-mentioned arrangement order. The tree structure is composed of a plurality of layers, and the invalidation information is arranged in accordance with the arrangement order, which is an order from a root-side layer to a leaf-side layer, starting from a root, and the determination unit includes: Using the plurality of pieces of revocation information arranged according to the arrangement order, constructing the path, and determining whether the acquired public key certificate is invalid.
[0370]
According to these configurations, the revocation list generation device arranges the obtained pieces of revocation information according to the arrangement order, which is the order from the layer on the root side to the layer on the leaf side, starting from the root. The route can be reliably established by the invalidity determination device.
Here, the revocation list generating means may use the obtained pieces of revocation information in the order of the nodes arranged on the route from the root to each leaf, starting from the root, and not being arranged in a redundant manner. Arrange in accordance with the arrangement order. In addition, the invalidation information is arranged in accordance with the order of nodes arranged on the route from the root to each leaf, starting from the root, and is not arranged in an overlapping manner. The route is constructed using the plurality of pieces of revocation information arranged according to the arrangement order, and the invalidation of the obtained public key certificate is determined.
[0371]
According to these configurations, the revocation list generation device uses the obtained plurality of revocation information as an order of nodes arranged on a route from the root to each leaf, starting from the root, and overlapping. Since the paths are arranged according to the non-arranged arrangement order, the path can be reliably established by the invalidation determination device.
Here, the revocation list generating means generates revocation information for all revoked nodes except for the leaf. In addition, revocation information is generated for all revoked nodes except for the leaf, and the determining unit determines revocation of the acquired public key certificate using the plurality of revocation information.
[0372]
According to these configurations, the revocation list generation device generates revocation information for all revoked nodes except the leaf, so that revocation information is not missing from the revocation list.
Here, the revocation list generating means may determine that all the nodes connected to the lower side of the invalidated nodes except for the leaf, in which all the nodes connected to the lower side are invalidated. Generate special invalidation information indicating that invalidation has been performed, and for all invalidated nodes connected to the lower side, suppress generation of invalidation information, and disable other invalidated nodes except for leaves , Invalidation information indicating whether each of the lower nodes is invalidated is generated. In addition, a special node indicating that all nodes connected to the lower side are invalidated for nodes that have been invalidated except for the leaf and all nodes connected to the lower side have been invalidated. Invalidation information is generated, generation of invalidation information is suppressed for all invalidated nodes connected to the lower side, and for all invalidated nodes other than leaves, the lower n nodes Revocation information indicating whether or not each has been revoked is generated, and the determination unit determines revocation of the obtained public key certificate using the special revocation information and the revocation information.
[0373]
According to these configurations, the revocation list generation device, for all the nodes that are revoked except for the leaf and for which all nodes connected to the lower side are revoked, are connected to the lower side. Since the special revocation information indicating that the node is revoked is generated, the size of the revocation list can be further reduced.
Here, the tree structure is an n-ary tree, where n is an integer of 2 or more, and the revocation list generating unit is a revoked node except for a leaf and connects to a lower side. The first additional information indicating that all nodes connected to the lower side are invalidated, and each of the lower n nodes is invalidated when all nodes are invalidated. , Generating special invalidation information composed of n-digit information indicating the invalidation of all the invalidated nodes connected to the lower side, suppressing generation of invalidation information, and performing other invalidation except for leaves Additional information indicating that all nodes connected to the lower side have not been invalidated, and n-digit information indicating whether or not each of the lower n nodes has been invalidated for the given node Generate invalidation information consisting of . In addition, for a node that has been invalidated except for the leaf and in which all nodes connected to the lower side are invalidated, a node indicating that all nodes connected to the lower side are invalidated. 1 special additional information and n-digit information indicating that each of the lower n nodes is invalidated are generated, and all invalidated information connected to the lower side is invalidated. The generation of invalidation information is suppressed for the node that has been invalidated. For the invalidated nodes other than the leaf, second additional information indicating that all nodes connected to the lower side are not invalidated, Invalidation information composed of n-digit information indicating whether or not each of the n nodes is invalidated is generated, and the determination unit uses the special invalidation information and the invalidation information to generate the invalidation information. The obtained public To determine the invalidity of the key certificate.
[0374]
According to these configurations, the revocation list generation device, for all the nodes that are revoked except for the leaf and for which all nodes connected to the lower side are revoked, are connected to the lower side. Generating special invalidation information including first additional information indicating that the node is invalidated and n-digit information indicating that each of the lower n nodes is invalidated; Since the generation of revocation information is suppressed for all revoked nodes connected to the lower side, the size of the revocation list can be reduced.
[0375]
Here, the tree structure is an n-ary tree, where n is an integer of 2 or more, and the revocation list generating unit is a revoked node except for a leaf and connects to a lower side. For all the nodes that have been invalidated, special invalidation information composed of an n-digit special value indicating that each of the lower n nodes is invalidated is generated, and For all the invalidated nodes to be connected, generation of invalidation information is suppressed, and for each of the invalidated nodes other than the leaf, it indicates whether or not each of the lower n nodes is invalidated. Generate n-digit invalidation information. In addition, for nodes that have been invalidated except for the leaf and for which all nodes connected to the lower side have been invalidated, n indicates that each of the lower n nodes has been invalidated. Special invalidation information composed of special values of digits is generated, and generation of invalidation information is suppressed for all invalidated nodes connected to the lower side, and other invalidated nodes except for leaves , N-digit invalidation information indicating whether or not each of the lower n nodes is invalidated is generated, and the determination unit obtains the invalidation information using the special invalidation information and the invalidation information. It is determined whether the public key certificate is invalid.
[0376]
According to these configurations, the revocation list generation device determines, for all the nodes that are revoked except the leaves and for which all the nodes connected to the lower side are revoked, of the lower n nodes. It generates special invalidation information composed of an n-digit special value indicating that each is invalidated, and suppresses generation of invalidation information for all invalidated nodes connected to the lower side. Therefore, the size of the revocation list can be reduced.
[0377]
Here, all the nodes of the tree structure storage means are invalidated, and the tree structure further includes one tree below the leaves constituting the tree structure in accordance with the expansion rule for expanding the tree structure. One or more extended leaves which are the lowest nodes among the extended nodes correspond to different extended public key certificates, and the extended leaf identifier indicating each extended leaf is At least one of the extended public key certificates that identify the public key certificate has been revoked, and is indicated by an extended leaf identifier that identifies the revoked extended public key certificate. All nodes from the extended leaf to the root are invalidated, and the revocation list generating means further includes a subordinate extended node for each invalidated extended node except the extended leaf. Are generated, indicating whether or not each of them is invalidated.As a result, a plurality of extended invalidation information is obtained, and the obtained plurality of extended invalidation information is related to the extension of the tree structure. Arranged according to the extension rule and added to the revocation list, the output means outputs the revocation list to which extended revocation information is added. Further, all nodes of the revocation list generation device are revoked, and the tree structure further includes one tree below a leaf configuring the tree structure according to an expansion rule related to expansion of the tree structure. One or more extended leaves which are the lowest nodes among the extended nodes having the above extended nodes respectively correspond to different extended public key certificates, and the extended leaf identifier indicating each extended leaf is an extended public key. At least one of the extended public key certificates for identifying a key certificate has been revoked, and the extension indicated by an extended leaf identifier for identifying the revoked extended public key certificate All nodes from the leaf to the root are invalidated, and the revocation list generation device further performs lower-level expansion for each invalidated expansion node except the expansion leaf. Generates extended invalidation information indicating whether or not each of the nodes is invalidated.As a result, a plurality of extended invalidation information is obtained, and the obtained plurality of extended invalidation information is used to extend the tree structure. Arranged according to the extension rule and added to the revocation list, the revocation list to which the extended revocation information is added is output, and the certificate acquisition unit further includes one extended leaf of the tree structure. Acquiring the extended public key certificate identified by the extended leaf identifier indicated by the extended leaf key identifier, the list acquiring unit acquires the revocation list to which extended revocation information is added, and the determining unit further acquires the acquired invalidation. Using the extended invalidation information arranged in the activation list, an attempt is made to construct a path from a root to the extended leaf, and when the extended leaf is included in the constructed path, the acquired It determines that Zhang public key certificate is invalid, when the do not include extension leaf, the extended public key certificate obtained is determined to be valid.
[0378]
According to these configurations, the revocation list generation device, for each of the revoked extended nodes except for the extended leaf, indicates whether or not each of the subordinate extended nodes has been revoked according to the extension rule. Since the information is generated, even if the tree structure is expanded, it is possible to generate a CRL with a small size. Further, the invalidation determination device attempts to construct a route from a root to the extended leaf using the extended invalidation information, and when the extended leaf is included in the constructed route, the acquired extended public information is acquired. Since it is determined that the key certificate is invalid, the revoked extended public key certificate can be reliably determined.
[0379]
Further, the present invention is a revocation list generation device that generates a revocation list indicating a revoked public key certificate, wherein a plurality of leaves in a tree structure respectively correspond to a plurality of public key certificates, A leaf identifier indicating each leaf identifies each public key certificate, none of the public key certificates has been revoked, and all nodes have not been revoked, forming the tree structure. The tree structure storage means having a plurality of nodes to be executed and all the nodes constituting the tree structure are determined not to be revoked, and a revocation list indicating that there is no revoked public key certificate is generated. And an output unit for outputting the generated revocation list. Also, using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether or not the obtained public key certificate is invalid. The revocation list generation device has a plurality of nodes constituting a tree structure, and a plurality of leaves of the tree structure each have a plurality of public key certificates. The leaf identifier indicating each leaf identifies each public key certificate, none of the public key certificates has been revoked, and all nodes have not been revoked, All nodes constituting the structure determine that the revocation has not been performed, generate a revocation list indicating that the revoked public key certificate does not exist, output the generated revocation list, and output the revocation list. The judgment device is one of the tree structures Certificate obtaining means for obtaining a public key certificate identified by a leaf identifier indicating a leaf, list obtaining means for obtaining the revocation list, and using the obtained revocation list, a public key certificate is invalidated. Determining means for determining that the data has not been converted.
[0380]
According to these configurations, when there is no revoked public key certificate, the revocation list generation device generates and outputs a revocation list indicating that, so that the public key certificate does not exist. Can be notified. Further, the revocation determination device determines that the public key certificate has not been revoked by using the obtained revocation list. Therefore, if there is no revoked public key certificate, the Can be used.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a configuration of a copyrighted work protection system 10.
FIG. 2 is a block diagram showing a configuration of a key management device 100.
FIG. 3 shows an example of a data structure of a tree structure table D100.
FIG. 4 is a conceptual diagram showing a tree structure T100.
FIG. 5 is a conceptual diagram showing a tree structure T200 including an invalidated node.
FIG. 6 is a data structure diagram illustrating an example of a node invalidation pattern.
FIG. 7 is a data structure diagram illustrating an example of key information including a plurality of encrypted media keys.
FIG. 8 is a block diagram illustrating a configuration of a recording device 300a.
FIG. 9 is a block diagram showing a configuration of a playback device 400a.
FIG. 10 is a flowchart showing an operation of assigning a device key to a user device, an operation of generating key information and writing it on a recording medium, and an operation of encrypting or decrypting content by the user device. In particular, it is a flowchart showing the operation of each device until the device key is exposed by an unauthorized third party.
FIG. 11 shows an operation of invalidating a node in a tree structure corresponding to an exposed device key after a device key is exposed by an unauthorized third party, generation of new key information, and generation of new key information on a recording medium. 9 is a flowchart illustrating a writing operation and an operation of encrypting or decrypting content by the user device.
FIG. 12 is a flowchart showing an operation of generating a tree structure table by the tree structure construction unit 101 and writing the tree structure table into the tree structure storage unit 102.
FIG. 13 is a flowchart showing an operation performed by the device key assignment unit 103 to output a device key and ID information to each user device.
14 is a flowchart illustrating an operation of updating a tree structure by the tree structure update unit 105. FIG.
FIG. 15 is a flowchart illustrating an operation of generating header information by the key information header generation unit 106.
FIG. 16 is a flowchart illustrating an operation of generating key information by the key information generation unit 107.
FIG. 17 is a flowchart illustrating an operation of specifying one encrypted media key from key information stored in a recording medium by a specifying unit included in the recording device.
FIG. 18 illustrates an example of a tree structure in a case where user devices to be invalidated may be concentrated on a specific leaf in the tree structure according to the first embodiment.
FIG. 19 is a tree structure showing a special node invalidation pattern when a user device to be invalidated is concentrated on a specific leaf in the tree structure in the second embodiment.
FIG. 20 shows an example of a data structure of a tree structure table D400.
FIG. 21 shows an example of a data structure of header information D500.
FIG. 22 shows an example of the data structure of key information D600.
FIG. 23 is a flowchart showing an operation of generating key information by the key information header generating unit 106. It continues to FIG.
FIG. 24 is a flowchart showing an operation of generating header information by a key information header generation unit 106. It continues to FIG.
FIG. 25 is a flowchart showing an operation of generating the header information by the key information header generation unit 106. It continues to FIG.
FIG. 26 is a flowchart showing an operation of generating key information by the key information header generating unit 106. Continued from FIG.
FIG. 27 is a flowchart illustrating an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a.
FIG. 28 is a tree structure showing a special node invalidation pattern in the third embodiment.
FIG. 29 shows an example of the data structure of header information D700.
FIG. 30 shows an example of the data structure of key information D800.
FIG. 31 is a flowchart illustrating an operation of generating header information. It continues to FIG.
FIG. 32 is a flowchart illustrating an operation of generating header information. It continues to FIG.
FIG. 33 is a flowchart showing an operation of generating header information. It continues to FIG.
FIG. 34 is a flowchart illustrating an operation of generating header information. Continued from FIG.
FIG. 35 is a flowchart showing an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a.
FIG. 36 is a tree structure showing how to arrange a plurality of node invalidation patterns in the fourth embodiment.
FIG. 37 shows an example of the data structure of a tree structure table D100.
FIG. 38 shows an example of the data structure of header information D900.
FIG. 39 is a flowchart showing an operation of generating a tree structure table by the tree structure construction unit 101 and writing the tree structure table into the tree structure storage unit 102.
40 is a flowchart showing an operation of generating header information by the key information header generation unit 106. FIG. It continues to FIG.
FIG. 41 is a flowchart showing an operation of generating key information by the key information header generating unit 106. Continued from FIG.
FIG. 42 is a flowchart showing an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a.
FIG. 43 is a flowchart showing an operation of generating key information by the key information header generating unit 106. It continues to FIG.
FIG. 44 is a flowchart showing an operation of generating header information by the key information header generation unit 106. It continues to FIG.
FIG. 45 is a flowchart showing an operation of generating key information by the key information header generating unit 106. It continues to FIG.
FIG. 46 is a flowchart illustrating an operation of generating header information by the key information header generation unit 106. Continued from FIG.
FIG. 47 is a flowchart showing an operation of specifying one encrypted media key from the key information stored in the recording medium 500b by the specifying unit 303 included in the recording device 300a.
FIG. 48 is a block diagram showing a configuration of a copyrighted work protection system 10f.
FIG. 49 is a conceptual diagram showing a tree structure T700 including nodes to which revoked device keys KeyA, KeyB, and KeyE are assigned.
FIG. 50 is a data structure diagram showing a configuration of header information D1000 and key information D1010.
FIG. 51 is a flowchart showing an operation of specifying one encrypted media key by the specifying unit 303 included in the recording device 300a.
FIG. 52 is a block diagram showing a configuration of an authentication system 1000.
FIG. 53 is a block diagram showing a configuration of a manufacturing apparatus 1200.
FIG. 54 is a block diagram showing a configuration of a certificate authority apparatus 1100.
FIG. 55 is a data structure diagram showing an example of a CRL.
FIG. 56 is a block diagram showing a configuration of a copyrighted work recording device 1400.
FIG. 57 is a block diagram showing a configuration of a main unit 1900.
FIG. 58 is a block diagram showing a configuration of a drive unit 1600.
FIG. 59 is a flowchart showing an operation of the manufacturing apparatus 1200 and the manufacturing apparatus 1300.
FIG. 60 is a flowchart showing an operation of issuing a public key certificate by the certificate authority apparatus 1100.
FIG. 61 is a flowchart showing an operation of issuing a CRL by the certificate authority apparatus 1100.
FIG. 62 is a flowchart showing the operation of the main unit 1900 and the drive unit 1600. It continues to FIG.
FIG. 63 is a flowchart showing the operation of the main unit 1900 and the drive unit 1600. It continues from FIG.
[Explanation of symbols]
10, 10b-10f Copyright protection system
100 key management device
200 Key information recording device
300a-300c recording device
400a-400c playback device
1000 authentication system
1100 Certificate Authority device
1200 Manufacturing Equipment
1300 Manufacturing equipment
1400 Work recording device
1500 personal computer
1600 drive section
1900 main unit

Claims (27)

A revocation list generation device for generating a revocation list indicating a revoked public key certificate, and determining whether or not the obtained public key certificate is invalid using the revocation list. An authentication system comprising an invalidation determination device that suppresses use of a corresponding public key,
The revocation list generation device,
A plurality of leaves in a tree structure correspond to a plurality of public key certificates, respectively, a leaf identifier indicating each leaf identifies each public key certificate, and at least one public key certificate among the public key certificates is provided. All nodes from the leaf indicated by the leaf identifier that identifies the revoked public key certificate to the root have been revoked, and a plurality of nodes constituting the tree structure have been revoked. Tree structure storage means having
For each invalidated node excluding the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained invalidation information is obtained. Revocation information, revocation list generating means for generating an revocation list by arranging according to the arrangement order related to the configuration of the tree structure,
Output means for outputting the generated revocation list.
The invalidity determination device,
Certificate obtaining means for obtaining a public key certificate identified by a leaf identifier indicating one leaf of the tree structure;
List acquisition means for acquiring the revocation list,
Using the revocation information arranged in the obtained revocation list, an attempt is made to construct a route from a root to the leaf, and if the leaf is included in the constructed route, the acquired disclosure An authentication system for determining that the key certificate is invalid, and determining that the obtained public key certificate is valid when the leaf is not included. A revocation list generation device that generates a revocation list indicating a revoked public key certificate,
A plurality of leaves in a tree structure correspond to a plurality of public key certificates, respectively, a leaf identifier indicating each leaf identifies each public key certificate, and at least one public key certificate among the public key certificates is provided. All nodes from the leaf indicated by the leaf identifier that identifies the revoked public key certificate to the root have been revoked, and a plurality of nodes constituting the tree structure have been revoked. Tree structure storage means having
For each invalidated node excluding the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained invalidation information is obtained. Revocation information, revocation list generating means for generating an revocation list by arranging according to the arrangement order related to the configuration of the tree structure,
Output means for outputting the generated revocation list. The tree structure is composed of a plurality of layers,
The revocation list generation means, the obtained plurality of revocation information,
Starting from the route,
3. The revocation list generation device according to claim 2, wherein the reordering list is arranged in accordance with the arrangement order, which is the order from the root layer to the leaf layer. The revocation list generation means, the obtained plurality of revocation information,
Starting from the route,
The order of nodes arranged on the route from the root to each leaf,
The revocation list generating device according to claim 2, wherein the revocation list is arranged according to the arrangement order that is not overlapped. The revocation list generation device according to claim 2, wherein the revocation list generation unit generates revocation information for all revoked nodes except for the leaf. The revocation list generation means,
Special invalidation indicating that all nodes connected to the lower side are invalidated for all invalidated nodes except for the leaf, and all nodes connected to the lower side are invalidated. Generate information,
For all invalidated nodes connected to the lower side, suppress generation of invalidation information,
3. The revocation list generating device according to claim 2, wherein revocation information indicating whether or not each of the lower nodes is revoked for other revoked nodes other than the leaf is generated. The tree structure is an n-ary tree, where n is an integer of 2 or more,
The revocation list generation means,
A first addition indicating that all nodes connected to the lower side of the invalidated nodes except for the leaf, in which all nodes connected to the lower side are invalidated, are invalidated. Generating special invalidation information including information and n-digit information indicating that each of the lower n nodes is invalidated,
For all invalidated nodes connected to the lower side, suppress generation of invalidation information,
For other invalidated nodes other than the leaf, second additional information indicating that all nodes connected to the lower side are not invalidated, and whether each of the lower n nodes is invalidated 7. The revocation list generation device according to claim 6, wherein revocation information including n-digit information indicating whether the revocation list is generated is generated. The tree structure is an n-ary tree, where n is an integer of 2 or more,
The revocation list generation means,
For an invalidated node excluding a leaf, in which all nodes connected to the lower side are invalidated, an n-digit number indicating that each of the lower n nodes is invalidated. Generate special invalidation information consisting of special values,
For all invalidated nodes connected to the lower side, suppress generation of invalidation information,
7. The n-digit invalidation information indicating whether or not each of the lower n nodes is invalidated for other invalidated nodes other than the leaves is generated, according to claim 6, wherein: Revocation list generator. All nodes of the tree structure storage means are invalidated,
The tree structure further has one or more extension nodes below the leaves constituting the tree structure in accordance with an extension rule relating to the expansion of the tree structure. The above-mentioned extended leaves correspond to different extended public key certificates respectively, and the extended leaf identifier indicating each extended leaf identifies at least one of the extended public key certificates identifying the extended public key certificate. The extended public key certificate has been revoked, and all nodes from the extended leaf to the root indicated by the extended leaf identifier that identifies the revoked extended public key certificate have been revoked,
The revocation list generating means further generates, for each of the revoked extension nodes except the extension leaf, extended extension revocation information indicating whether or not each of the subordinate extension nodes is revoked, and as a result, The extended invalidation information of the obtained, a plurality of obtained extended invalidation information, arranged in accordance with the expansion rules pertaining to the expansion of the tree structure, and added to the invalidation list,
3. The revocation list generation device according to claim 2, wherein the output unit outputs the revocation list to which extended revocation information is added. A revocation list generation device that generates a revocation list indicating a revoked public key certificate,
A plurality of leaves having a tree structure correspond to a plurality of public key certificates, respectively. A leaf identifier indicating each leaf identifies each public key certificate, and any of the public key certificates is invalidated. All the nodes are not invalidated, tree structure storage means having a plurality of nodes constituting the tree structure,
Revocation list generation means for determining that all nodes constituting the tree structure have not been revoked, and generating a revocation list indicating that the revoked public key certificate does not exist;
Output means for outputting the generated revocation list. Using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether the obtained public key certificate is invalid, and the corresponding public key is determined when the obtained public key certificate is determined to be invalid. An invalidation determination device that suppresses use of a key,
The revocation list generation device has a plurality of nodes forming a tree structure, a plurality of leaves in the tree structure respectively correspond to a plurality of public key certificates, and a leaf identifier indicating each leaf is a public key. Identifying a certificate, wherein at least one of the public key certificates has been revoked, from the leaf indicated by the leaf identifier identifying the revoked public key certificate to the root. Are invalidated, and for each invalidated node except the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, multiple invalidations are performed. Information is obtained, a plurality of obtained revocation information is arranged according to the arrangement order according to the configuration of the tree structure to generate a revocation list, and the generated revocation list is output,
The invalidity determination device,
Certificate obtaining means for obtaining a public key certificate identified by a leaf identifier indicating one leaf of the tree structure;
List acquisition means for acquiring the revocation list,
Using the revocation information arranged in the obtained revocation list, an attempt is made to construct a route from a root to the leaf, and if the leaf is included in the constructed route, the acquired disclosure An invalidity judging device comprising: judging means for judging that a key certificate is invalid, and judging that the obtained public key certificate is valid when the leaf is not included. The tree structure is composed of a plurality of layers,
The invalidation information includes:
Starting from the route,
Are arranged according to the arrangement order, which is the order from the root layer to the leaf layer,
12. The method according to claim 11, wherein the determining unit constructs the path using the plurality of pieces of revocation information arranged according to the arrangement order, and determines whether the obtained public key certificate is invalid. Invalidity determination device. The invalidation information includes:
Starting from the route,
The order of nodes arranged on the route from the root to each leaf,
Arranged in accordance with the above-mentioned sequence order that is not arranged redundantly,
12. The method according to claim 11, wherein the determining unit constructs the path using the plurality of pieces of revocation information arranged according to the arrangement order, and determines whether the obtained public key certificate is invalid. Invalidity determination device. Invalidation information is generated for all invalidated nodes except for the leaf,
The invalidation determination apparatus according to claim 11, wherein the determination unit determines whether the acquired public key certificate is invalid by using the plurality of pieces of revocation information. Special invalidation indicating that all nodes connected to the lower side are invalidated for all invalidated nodes except for the leaf, and all nodes connected to the lower side are invalidated. Information is generated,
For all the invalidated nodes connected to the lower side, generation of invalidation information is suppressed,
For other invalidated nodes other than the leaf, invalidation information indicating whether or not each of the lower n nodes is invalidated is generated,
12. The invalidation determination apparatus according to claim 11, wherein the determination unit determines the invalidation of the obtained public key certificate using the special revocation information and the revocation information. A first addition indicating that all nodes connected to the lower side of the invalidated nodes except for the leaf, in which all nodes connected to the lower side are invalidated, are invalidated. Special invalidation information composed of information and n-digit information indicating that each of the lower n nodes is invalidated is generated,
For all the invalidated nodes connected to the lower side, generation of invalidation information is suppressed,
For other invalidated nodes other than the leaf, second additional information indicating that all nodes connected to the lower side are not invalidated, and whether each of the lower n nodes is invalidated And n-digit information indicating whether the invalidation information is generated.
16. The invalidation determination apparatus according to claim 15, wherein the determination unit determines whether the obtained public key certificate is invalid using the special revocation information and the revocation information. For an invalidated node excluding a leaf, in which all nodes connected to the lower side are invalidated, an n-digit number indicating that each of the lower n nodes is invalidated. Special invalidation information consisting of special values is generated,
For all the invalidated nodes connected to the lower side, generation of invalidation information is suppressed,
For other invalidated nodes other than the leaf, n-digit invalidation information indicating whether or not each of the lower n nodes is invalidated is generated,
16. The invalidation determination apparatus according to claim 15, wherein the determination unit determines whether the obtained public key certificate is invalid using the special revocation information and the revocation information. All nodes of the revocation list generation device are revoked, and the tree structure further includes one or more nodes below a leaf configuring the tree structure according to an expansion rule related to expansion of the tree structure. One or more extension leaves that are extension nodes and are the lowest nodes among the extension nodes correspond to different extension public key certificates, and an extension leaf identifier indicating each extension leaf is an extension public key certificate. At least one extended public key certificate among the extended public key certificates for identifying a certificate has been revoked, and from an extended leaf indicated by an extended leaf identifier for identifying the revoked extended public key certificate. All nodes up to the root are invalidated, and the revocation list generation device further includes a lower extended node for each invalidated extended node except the extended leaf. Are generated, indicating whether or not each of them is invalidated.As a result, a plurality of extended invalidation information is obtained, and the obtained plurality of extended invalidation information is related to the extension of the tree structure. Arranged according to the extension rule and added to the revocation list, output the revocation list with extended revocation information added,
The certificate obtaining means further obtains an extended public key certificate identified by an extended leaf identifier indicating one extended leaf of the tree structure,
The list acquisition unit acquires the revocation list to which extended revocation information is added,
The determining unit further attempts to construct a route from a root to the extended leaf using the extended invalidation information arranged in the acquired revocation list, and further includes an extension leaf in the constructed route. Is included, the acquired extended public key certificate is determined to be invalid, and if the extended leaf is not included, the acquired extended public key certificate is determined to be valid. The invalidity judging device according to claim 11, wherein: Using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether the obtained public key certificate is invalid, and the corresponding public key is determined when the obtained public key certificate is determined to be invalid. An invalidation determination device that suppresses use of a key,
The revocation list generation device has a plurality of nodes forming a tree structure, a plurality of leaves in the tree structure respectively correspond to a plurality of public key certificates, and a leaf identifier indicating each leaf is a public key. Identify the certificate, none of the public key certificates has been revoked, all nodes have not been revoked, and all nodes constituting the tree structure have not been revoked. Judge, generate a revocation list indicating that the revoked public key certificate does not exist, output the generated revocation list,
The invalidity determination device,
Certificate obtaining means for obtaining a public key certificate identified by a leaf identifier indicating one leaf of the tree structure;
List acquisition means for acquiring the revocation list,
A determination unit configured to determine that the public key certificate has not been revoked using the obtained revocation list. A revocation list generation method used in a revocation list generation device that generates a revocation list indicating a revoked public key certificate,
In the revocation list generation device, a plurality of leaves having a tree structure respectively correspond to a plurality of public key certificates, a leaf identifier indicating each leaf identifies each public key certificate, At least one of the public key certificates is revoked, and all nodes from the leaf to the root indicated by the leaf identifier identifying the revoked public key certificate are revoked, and the tree structure Tree storage means having a plurality of nodes constituting
The revocation list generation method includes:
For each invalidated node excluding the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained invalidation information is obtained. Invalidation information, an invalidation list generating step of arranging according to the arrangement order according to the configuration of the tree structure to generate an invalidation list,
An output step of outputting the generated revocation list. A revocation list generation program used in a revocation list generation device that generates a revocation list indicating a revoked public key certificate,
In the revocation list generation device, a plurality of leaves having a tree structure respectively correspond to a plurality of public key certificates, a leaf identifier indicating each leaf identifies each public key certificate, At least one of the public key certificates has been revoked, and all nodes from the leaf indicated by the leaf identifier identifying the revoked public key certificate to the root have been revoked; A tree structure storage unit having a plurality of nodes forming a tree structure,
The revocation list generation program includes:
For each invalidated node excluding the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained invalidation information is obtained. Invalidation information, an invalidation list generating step of arranging according to the arrangement order according to the configuration of the tree structure to generate an invalidation list,
And an output step of outputting the generated revocation list. A computer-readable recording medium recording a revocation list generation program used in a revocation list generation device that generates a revocation list indicating a revoked public key certificate,
In the revocation list generation device, a plurality of leaves having a tree structure respectively correspond to a plurality of public key certificates, a leaf identifier indicating each leaf identifies each public key certificate, At least one of the public key certificates has been revoked, and all nodes from the leaf indicated by the leaf identifier identifying the revoked public key certificate to the root have been revoked; A tree structure storage unit having a plurality of nodes forming a tree structure,
The revocation list generation program includes:
For each invalidated node excluding the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained invalidation information is obtained. Invalidation information, an invalidation list generating step of arranging according to the arrangement order according to the configuration of the tree structure to generate an invalidation list,
An output step of outputting the generated revocation list. Using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether the obtained public key certificate is invalid, and the corresponding public key is determined when the obtained public key certificate is determined to be invalid. An invalidation determination method used in an invalidation determination device that suppresses use of a key,
The revocation list generation device has a plurality of nodes forming a tree structure, a plurality of leaves in the tree structure respectively correspond to a plurality of public key certificates, and a leaf identifier indicating each leaf is a public key. Identifying a certificate, wherein at least one of the public key certificates has been revoked, from the leaf indicated by the leaf identifier identifying the revoked public key certificate to the root. Are invalidated, and for each invalidated node except the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, multiple invalidations are performed. Information is obtained, a plurality of obtained revocation information is arranged according to the arrangement order according to the configuration of the tree structure to generate a revocation list, and the generated revocation list is output,
The invalidity determination method includes:
A certificate obtaining step of obtaining a public key certificate identified by a leaf identifier indicating one leaf of the tree structure;
A list acquisition step of acquiring the revocation list,
Using the revocation information arranged in the obtained revocation list, an attempt is made to construct a route from a root to the leaf, and if the leaf is included in the constructed route, the acquired disclosure Determining that the key certificate is invalid and, if the leaf is not included, determining that the obtained public key certificate is valid. Using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether the obtained public key certificate is invalid, and the corresponding public key is determined when the obtained public key certificate is determined to be invalid. An invalidation determination program used in an invalidation determination device that suppresses use of a key,
The revocation list generation device has a plurality of nodes forming a tree structure, a plurality of leaves in the tree structure respectively correspond to a plurality of public key certificates, and a leaf identifier indicating each leaf is a public key. Identifying a certificate, wherein at least one of the public key certificates has been revoked, from the leaf indicated by the leaf identifier identifying the revoked public key certificate to the root. Are invalidated, and for each invalidated node except the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, multiple invalidations are performed. Information is obtained, a plurality of obtained revocation information is arranged according to the arrangement order according to the configuration of the tree structure to generate a revocation list, and the generated revocation list is output,
The invalidity determination program includes:
A certificate obtaining step of obtaining a public key certificate identified by a leaf identifier indicating one leaf of the tree structure;
A list acquisition step of acquiring the revocation list,
Using the revocation information arranged in the obtained revocation list, an attempt is made to construct a route from a root to the leaf, and if the leaf is included in the constructed route, the acquired disclosure A determining step of determining that the key certificate is invalid, and determining that the acquired public key certificate is valid when the leaf is not included. Using the revocation list indicating the revoked public key certificate generated by the revocation list generation device, it is determined whether the obtained public key certificate is invalid, and the corresponding public key is determined when the obtained public key certificate is determined to be invalid. A computer-readable recording medium recording an invalidation determination program used in an invalidation determination device that suppresses use of a key,
The revocation list generation device has a plurality of nodes forming a tree structure, a plurality of leaves in the tree structure respectively correspond to a plurality of public key certificates, and a leaf identifier indicating each leaf is a public key. Identifying a certificate, wherein at least one of the public key certificates has been revoked, from the leaf indicated by the leaf identifier identifying the revoked public key certificate to the root. Are invalidated, and for each invalidated node except the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, multiple invalidations are performed. Information is obtained, a plurality of obtained revocation information is arranged according to the arrangement order according to the configuration of the tree structure to generate a revocation list, and the generated revocation list is output,
The invalidity determination program includes:
A certificate obtaining step of obtaining a public key certificate identified by a leaf identifier indicating one leaf of the tree structure;
A list acquisition step of acquiring the revocation list,
Using the revocation information arranged in the obtained revocation list, an attempt is made to construct a route from a root to the leaf, and if the leaf is included in the constructed route, the acquired disclosure A determination step of determining that the key certificate is invalid and determining that the obtained public key certificate is valid when the leaf is not included. A computer-readable recording medium recording a revocation list indicating a revoked public key certificate generated by a revocation list generation device,
The revocation list generation device,
A plurality of leaves in a tree structure correspond to a plurality of public key certificates, respectively, a leaf identifier indicating each leaf identifies each public key certificate, and at least one public key certificate among the public key certificates is provided. All nodes from the leaf indicated by the leaf identifier that identifies the revoked public key certificate to the root have been revoked, and a plurality of nodes constituting the tree structure have been revoked. Tree structure storage means having
For each invalidated node excluding the leaf, invalidation information indicating whether each of the lower nodes is invalidated is generated, and as a result, a plurality of invalidation information is obtained, and the obtained invalidation information is obtained. Revocation information, revocation list generating means for generating a revocation list by arranging according to the arrangement order related to the configuration of the tree structure,
The recording medium, wherein the generated revocation list is recorded. A computer-readable recording medium recording a revocation list indicating a revoked public key certificate generated by a revocation list generation device,
The revocation list generation device,
A plurality of leaves having a tree structure correspond to a plurality of public key certificates, respectively. A leaf identifier indicating each leaf identifies each public key certificate, and any of the public key certificates is invalidated. All the nodes are not invalidated, tree structure storage means having a plurality of nodes constituting the tree structure,
All nodes constituting the tree structure are provided with revocation list generation means for determining that the revocation has not been performed and generating a revocation list indicating that the revoked public key certificate does not exist;
The recording medium, wherein the generated revocation list is recorded.

Images